04-22-2022 10:54 AM
Here's an example:
A server in our HQ data center needs access to server in Branch data center on port 443.
Currently, I would create 2 rules:
1. HQ->Branch port 443
2. Branch->HQ port 443
Can you consolidate these into one rule?
04-22-2022 05:03 PM
A server in our HQ data center needs access to server in Branch data center on port 443.
as per this, 1. HQ->Branch port 443 <-- this should work right, why are you looking to have another Rule ?
04-22-2022 08:46 PM
Cisco firewalls are stateful. That means that once a flow is allowed in one direction a connection record is created and the firewall keeps the state of the connection in memory to automatically allow the return traffic. Thus only one rule is allowed for most use cases. The exception is when either side could be the initiator of a new connection.
Also, when a computer establishes a connection to another PC, the source port is usually chosen from the ephemeral port range (1024-65525) for a given tcp connection (or udp flow). So the return traffic will be to that dynamically chosen port and not to the port that the remote server was addressed on.
04-27-2022 02:09 PM
Sorry folks. I have done a very poor job articulating my question. Allow me to try again.
First, let me preface my question with it does not matter what port I am using. This is just an example.
Second, when I say bi-directional, I mean I want both sides at any given time to be able to source traffic to the other.
Let's just say on Monday, an HQ server needs to connect to a Branch server on port 443.
You must have a rule that permits HQ server -> Branch server on port 443.
Then let's say on Wednesday, a Branch server needs to connect (brand new connection) to an HQ server on port 443.
You must have a rule that permits Branch server -> HQ server on port 443.
At face value that is 2 rules in the Firepower ACP.
Rule 1 - Source=HQ server, Destination=Branch Server, Port=443
Rule 2 - Source=Branch server, Destination=HQ Server, Port=443
My question is this. In a Firepower Access Control Policy, can I combine the two rules together like below to achieve the same result as Rule 1&2 above:
Source=HQ server and Branch server, Destination=Branch server and HQ server, Port 443
04-28-2022 09:07 AM
@DannyDulin two rules are required in the use case you describe. They are distinct tcp connections and the firewall will track each separately.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide