I have experience from PaloAlto L7 filtering and I am trying to mimic the behavior on the FTD but looks like it maybe doesn't work like that. In essence I want to only allow specific apps and deny everything else. The issues that I have on TFD is there is limit of 50 apps per rule which leads me to conclusion since there are over 3000 apps this is not the way to do it. I can make rule by Categories and Groups but then I can't fine grain what exactly do I want to allow. Now since most of the web is on port 80 and 443 where does services come in play? I am confused how to best create rules based on the services, applications and web categories. I didn't find cisco documentation of much use here so maybe someone with 1st hand experience can share what's the best practice to achieve what I want? I for sure want to deny everything at the end since I don't want unknown stuff making connections from inside to outside if app is not recognized by TFD. I don't like the idea of deny what I don't want and allow everything else since some computer can get infected by something and then it might send some sensitive data outside.
If your rule base includes the required applications you can use the default action rule to block. In this way any application that is not recognized will not hit your allowed applications rule and will be blocked. You can change the default rule action to either block, allow, enable IPS inspection.
one challenge with the "AND" approach of service ports and applications is having multiple applications in the rule tied to service ports used by each application.
I have not tested the below scenario but looking forward to it.
Try to bind the multiple applications in a single rule on their standard service ports.
Rule 1 - Allow application HTTP, HTTPS, SSH & ports TCP-22, TCP-80 & TCP-443.
Firewall does allow having this rule but not sure will it automatically and rightly map the service ports with the applications. e.g. will it now only allow HTTP application on TCP port 80 and no other ports or HTTP application on any of the service ports listed in Rule 1?
Create rules as below for error free control of applications with service ports.
Rule 1 - Allow application HTTP & service port TCP-80
Rule 2 - Allow application HTTPS & service port TCP-443
Rule 3 - Allow application SSH & service port TCP-22
Any guidance on the same would be great.
That was a bit hard on the poor little 5506.
The 5506 is documented by Cisco to give around 125Mbps with AVC and IPS, you are getting 150Mbps.
And it's stated somewhere by Cisco that you will have a 80% hit on traffic with SSL enabled.
So not that bad numbers anyways. ;)