Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
5
Helpful
1
Replies

Getting rid of "permit ip any any" rules in ACL:s

Chess Norris
Level 4
Level 4

‎01-11-2022 12:22 AM

Hello,
I've been given the task of investigate which ports are necessary to have open in a number of ACL:s on a Firepower FTD device. The goal is to limit the number of open ports and get rid of the "permit ip any any" entries in some of the ACL:s.
My plan was to run a TCP dump on the firewall and search for the most common ports (WEB, FTP, Domain etc.) and then add rules for those ports. The "permit IP any any" rule will be kept last in the ACL until I am sure the other rules are sufficient to allow only the necessary traffic. (I will be checking the hit counts on each rule)
Is there anyone else that might have a better approach reaching this goal? I am aware of the challenges in a task like this and I will most likely not be able to find every single port that needs to be open, but if I at least can cover about 80% of the ports we need to allow, I can add additional rules for the rest of the traffic later)

 

Thanks

/Chess

 

0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎01-11-2022 12:29 AM

Hi @Chess Norris trawling through tcpdump output would be painful! Perhaps enable netflow on the firewall or the switch interface and collate the protocol/port/IP address information, from there you can start to develop a new firewall ruleset.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card