Re: FTD rules services vs. applications

Damir Reic · ‎11-24-2017

Hello,

I have experience from PaloAlto L7 filtering and I am trying to mimic the behavior on the FTD but looks like it maybe doesn't work like that. In essence I want to only allow specific apps and deny everything else. The issues that I have on TFD is there is limit of 50 apps per rule which leads me to conclusion since there are over 3000 apps this is not the way to do it. I can make rule by Categories and Groups but then I can't fine grain what exactly do I want to allow. Now since most of the web is on port 80 and 443 where does services come in play? I am confused how to best create rules based on the services, applications and web categories. I didn't find cisco documentation of much use here so maybe someone with 1st hand experience can share what's the best practice to achieve what I want? I for sure want to deny everything at the end since I don't want unknown stuff making connections from inside to outside if app is not recognized by TFD. I don't like the idea of deny what I don't want and allow everything else since some computer can get infected by something and then it might send some sensitive data outside.

vaibhav.parlekar1 · ‎11-28-2017

Hi,

If your rule base includes the required applications you can use the default action rule to block. In this way any application that is not recognized will not hit your allowed applications rule and will be blocked. You can change the default rule action to either block, allow, enable IPS inspection.

Vaibhav

Damir Reic · ‎11-29-2017

That wasn't really my question. When you have services and applications how
do you best combine those, what is the best practice? Obviously I couldn't
find the answer on that in official docs. I am going to production this
weekend so I guess we will find out. I have something setup currently but we
will see how much changes would it require to work as expected.

Thanks anway!

mikael.lahtela · ‎11-29-2017

Don't know if this helps you.
In FTD the access policy is built default block and first match rule.
So let's say you want to allow url category for news, ssh as application and tcp/3389 as a service.
The rule I would built is something like this:
1. allow, url-filter news <- most traffic in the first rule.
2. allow, service tcp/3389
3. allow, application ssh.
x.default block.
I don't see the need to create a big block for every 3000+ applications that is not allowed, add rules for what you wan't to allow and block everything else.
If you create a rule to allow ssh and tcp/22 in the same rule, the connection need to match both application SSH and port tcp/22.
Rule by Rule is OR
Filter by Filter in rule is AND

br, Micke

Damir Reic · ‎11-29-2017

Actually that helped !

So let's say I want to allow Ringcentral (there is no app or service for
that). So I created group of subnets.

So general order woul be something like that

1. Allow only URL categories I want
2. Allow application SSL,HTTP,HTTPS
3. Allow services
4. Allow any to destination Ips
5. Deny all rest

Would ordering be OK ?

mikael.lahtela · ‎11-29-2017

1. should actually be block any url categories you don't want.
Because the second rule will allow the http, https traffic without categories.
I would also add a trust rule at the top for any problematic traffic that might be blocked by rule 1.

br, Micke

Damir Reic · ‎11-29-2017

Yes I have trust rule already for management machine so I don't get myself locked out 😃 . For machines that will experience issues I would rather find the issue and allow it instead of trusting everything from the machine right?

mikael.lahtela · ‎11-29-2017

That is correct, but sometimes firepower blocks URL's as they are in wrong category.
So to speed it up you can allow the traffic until the DB is updated.

br, Micke

vaibhav.parlekar1 · ‎11-29-2017

one challenge with the "AND" approach of service ports and applications is having multiple applications in the rule tied to service ports used by each application.

I have not tested the below scenario but looking forward to it.

Try to bind the multiple applications in a single rule on their standard service ports.

Rule 1 - Allow application HTTP, HTTPS, SSH & ports TCP-22, TCP-80 & TCP-443.

Firewall does allow having this rule but not sure will it automatically and rightly map the service ports with the applications. e.g. will it now only allow HTTP application on TCP port 80 and no other ports or HTTP application on any of the service ports listed in Rule 1?

OR

Create rules as below for error free control of applications with service ports.

Rule 1 - Allow application HTTP & service port TCP-80

Rule 2 - Allow application HTTPS & service port TCP-443

Rule 3 - Allow application SSH & service port TCP-22

Any guidance on the same would be great.

Vaibhav

mikael.lahtela · ‎11-29-2017

The problem is that sometimes firepower has some issues to detect the application used and then your rule won't get a match.
So I try to use only application detection or service in one rule.
Most of my rules i create are src/dst zone, src/dst network and url or application or service.

br, Micke

Damir Reic · ‎11-30-2017

So to sum up, if rule include services and apps both of those have to mach to pass the user right (logical AND) ?

mikael.lahtela · ‎12-04-2017

That is correct.

br, Micke

Damir Reic · ‎12-04-2017

Performance update 😊
With SSL inspection enabled Internet craws at 10Mbit.
With SSL inspection disabled and rules set to enable file ispection, URL filtering (just few categories) I am getting around 150Mbit over speedtest.
With SSL inspection disabled and all traffic set to trust 800Mbits.

So yeah, 5506 hardware sux big time.

mikael.lahtela · ‎12-04-2017

That was a bit hard on the poor little 5506.
The 5506 is documented by Cisco to give around 125Mbps with AVC and IPS, you are getting 150Mbps.
https://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

And it's stated somewhere by Cisco that you will have a 80% hit on traffic with SSL enabled.
So not that bad numbers anyways. ;)

br, Micke