cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
5
Helpful
5
Replies

how to move service policy and inspection on fmc?

baselzind
Level 6
Level 6

i need to move a asa configuration into fmc but the problem is i cant figure out how to move the existing service policy and inspection rules into the new fmc? especially the inspection rules?

5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

Unless you've customized the service-policies for a specific technical need, the FTD device will have default service policy rules just like ASA does.

If you need to customize the rules in FTD, here's how:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71062

i checked the guide , the steps doesnt involve choosing certain type of traffic like ftp or icmp to enable inspection for?

To modify the inspected protocols you need to use a Flexconfig.

Look under objects > Flexconfig > Flexconfig Objects. Specifically, Default_Protocol_Inspection_Enable and  ...Disable objects.

You can modify those to suit your desired state (enabled of disabled) and then choose them for deployment to the selected devices under Devices > Flexconfig. 

thanks for the reply but can you help with an example as the flexconfig is really complicated below there is a sample of the inspection code
policy-map global_policy
class inspection_default
#foreach ( $protocol in $enableInspectProtocolList)
inspect $protocol
#end

if i want to add ftp and icmp to the list , how do i do so? where is this " $enableInspectProtocolList"

"$enableInspectProtocolList" is a Flexconnect text object:

 

FTD Flexconfig service policy list.PNG

Somewhere in 6.x Cisco added icmp to the list of default inspections so you don't need to do anything to add it if you're running a relatively recent Firepower version. Here's my list from a running-config on 6.4.0.4 (with no overriding entries in the Flexconfig list):

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
  inspect sip  

 

 

Review Cisco Networking for a $25 gift card