Re: How can i bypass routing protocol traffic (BGP, OSPF) in Firepower

raymondluis13 · ‎09-29-2022

Can Firepower identify traffics for routing protocol such as BGP and OSPF? I want to bypass BGP and OSPF traffics to boost my firepower performance. Thank you.

RL

tvotna · ‎09-30-2022

If you want your traffic to bypass snort, create Prefilter Policy, add Rules to it with Fastpath Action and link Prefilter Policy to Access Control Policy.

raymondluis13 · ‎10-04-2022

hi, thanks for the response. I want to bypass routing traffics with prefilter and access control policy. But the problem is i dont know how to select only these routing traffic without bypassing other traffics as well. Is there a way to only select these routing traffics only?

RL

Aref Alsouqi · ‎09-30-2022

Not sure I fully understand the question, if you don't enable OSPF/BGP on the firewall it won't use them at all and won't consume any resources for them.

raymondluis13 · ‎10-04-2022

Hello sir, so im using a transparent mode firepower. According to the documentation, i can just fast track all routing protocol without inspecting them using access control rules. But when i am trying to configure the policy to fast track routing protocol, i dont see any group or option to select OSPF or BGP. I want to ask how can i fast track all routing protocol traffics. Thank you. Here the documentation.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html

For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an access rule, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV. You can also establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an access rule. Likewise, protocols like HSRP or VRRP can pass through the FTD device.

RL

tvotna · ‎10-04-2022

Use Prefilter Policy with port and protocol conditions in rules:

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/rule_management_common_characteristics.html#id_16274

BGP is TCP/179 and OSPF is protocol #89.

raymondluis13 · ‎10-04-2022

Hi, thanks for the response. I want to ask, if i fast track all traffics for TCP port 179. Can attackers attack my network using that same port and protocol? Thank you

RL

MHM Cisco World · ‎09-30-2022

you can for BGP
only allow BGP neighbor in OUT ACL
for OSPF I think you need to config neighbor command and then allow neighbor in ACL

https://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/6500-bgp-pix.html

raymondluis13 · ‎10-04-2022

hello thanks for the response. Its seems like the solution is to manually config the router and the firepower. i want to ask, is there a way to set policy in firepower only since i managing more than 1000 routers. I cant manually config all of them. and my firepower also set to transparent mode, so my firepower only got routing traffics from other routers. I want to fast track that in pre filter policy or access control policy. Is there a way to do that? Thank you

RL