I thought the FastPath pre-filter policy bypassed DAQ entirely... ain't that the case any more?

From the Configuration and Operation of FTD Prefilter Policies (https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/212700-configuration-and-operation-of-ftd-prefi.html

A Prefilter Policy is a feature introduced in 6.1 version and serves three main purposes:

* Match traffic based on both inner and outer headers
* Provide early Access Control which allows a flow to bypass Snort engine completely
* Work as a placeholder for Access Control Entries (ACEs) that are migrated from Adaptive Security Appliance (ASA) migration tool.

That picture was inaccurate with regard to the Fastpath and prefilter indications. This one from a Cisco Live presentation is a better reference: (UPDATE - please refer to the better diagram in my later reply.)

FTD Order of Operations

Even yours doesn’t feel right. The Fastpath connection should only bypass the DAQ and nothing else. ALG checks and NAT are applied on Fastpath data - you can confirm with a packet tracer on a Prefilter policy.

It is worrisome even Cisco Live presenters are not fully understanding the product…

thanks A lot friend, 
can you share the name of ciscolive PPT?

Hello HQuest,

Thanks for your reply. Appreciate it. But still my original question remains; how you can examine the inner packet for 'existing connections' without decrypting the tunneled traffic first. I believe that the 'existing connections' we are referring to is for the inner IP connections and not on the IPSec tunnel headers. Right?

Thanks,

Mohan

Hello MHM,

Thank you for your reply. So, based on your reply, here is what I conclude. Let me know if this makes sense.

The 'existing connection' here refer to both the outer IP header connections (IPSec) and inner IP connections. So, if IPsec tunnel is already established (i.e., connection existing) then the tunnel traffic can be fast-pathed, without decryption. If the tunnel connection is new (not existing), then do the VPN decrypt and pass the inner IP to the Access-Control Policy for further inspection. If ACP passes this traffic, a connection entry is added and all future IPSec packets can be fast-pathed without VPN decrypt.

I found an even better (and I believe more accurate) depiction - see below.Credit to Nazmul Rajib - it is from his book "Cisco Firepower Threat Defense" (Chapter 16). (I hope you don't mind me citing it @Nazmul Rajib)

It shows that, in case of VPN traffic, that we decrypt before checking the prefilter policy for "Fastpath Trust" action. That is distinct from taking the "Fast Path" which is an unfortunately similar choice of words for how an existing flow is handled (i.e., straight to DAQ for the Firepower Engine processing). The Cisco Live slide does indeed have an error (I believe) in where it shows the output of the prefilter Fastpath action. Nazmul's figure show the correct order - including the ALG and NAT sections.

Hi All, I kinda found the answer. In one of the ciscolive videos, I saw that, after VPN Decrypt, the inner-packet is again sent back and checked for "existing connections", this time for the inner-IP.