Cisco firewalls are stateful. That means that once a flow is allowed in one direction a connection record is created and the firewall keeps the state of the connection in memory to automatically allow the return traffic. Thus only one rule is allowed for most use cases. The exception is when either side could be the initiator of a new connection.

Also, when a computer establishes a connection to another PC, the source port is usually chosen from the ephemeral port range (1024-65525) for a given tcp connection (or udp flow). So the return traffic will be to that dynamically chosen port and not to the port that the remote server was addressed on.

https://en.wikipedia.org/wiki/Ephemeral_port

Sorry folks. I have done a very poor job articulating my question. Allow me to try again.

First, let me preface my question with it does not matter what port I am using. This is just an example.

Second, when I say bi-directional, I mean I want both sides at any given time to be able to source traffic to the other.

Let's just say on Monday, an HQ server needs to connect to a Branch server on port 443.

You must have a rule that permits HQ server -> Branch server on port 443.

Then let's say on Wednesday, a Branch server needs to connect (brand new connection) to an HQ server on port 443.

You must have a rule that permits Branch server -> HQ server on port 443.

At face value that is 2 rules in the Firepower ACP.

Rule 1 - Source=HQ server, Destination=Branch Server, Port=443

Rule 2 - Source=Branch server, Destination=HQ Server, Port=443

My question is this. In a Firepower Access Control Policy, can I combine the two rules together like below to achieve the same result as Rule 1&2 above:

Source=HQ server and Branch server, Destination=Branch server and HQ server, Port 443