Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1734
Views
5
Helpful
5
Replies

how to move service policy and inspection on fmc?

baselzind
Level 6
Level 6

‎09-05-2019 01:01 AM - edited ‎02-21-2020 09:27 AM

i need to move a asa configuration into fmc but the problem is i cant figure out how to move the existing service policy and inspection rules into the new fmc? especially the inspection rules?

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎09-05-2019 02:44 AM

Unless you've customized the service-policies for a specific technical need, the FTD device will have default service policy rules just like ASA does.

If you need to customize the rules in FTD, here's how:

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/threat_defense_service_policies.html#id_71062

baselzind
Level 6
Level 6
In response to Marvin Rhoads

‎09-09-2019 12:21 AM

i checked the guide , the steps doesnt involve choosing certain type of traffic like ftp or icmp to enable inspection for?
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to baselzind

‎09-09-2019 02:46 AM

To modify the inspected protocols you need to use a Flexconfig.

Look under objects > Flexconfig > Flexconfig Objects. Specifically, Default_Protocol_Inspection_Enable and  ...Disable objects.

You can modify those to suit your desired state (enabled of disabled) and then choose them for deployment to the selected devices under Devices > Flexconfig. 

0 Helpful

baselzind
Level 6
Level 6
In response to Marvin Rhoads

‎09-09-2019 03:01 AM

thanks for the reply but can you help with an example as the flexconfig is really complicated below there is a sample of the inspection code
policy-map global_policy
class inspection_default
#foreach ( $protocol in $enableInspectProtocolList)
inspect $protocol
#end

if i want to add ftp and icmp to the list , how do i do so? where is this " $enableInspectProtocolList"
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to baselzind

‎09-09-2019 04:57 AM

"$enableInspectProtocolList" is a Flexconnect text object:

 

FTD Flexconfig service policy list.PNG

Somewhere in 6.x Cisco added icmp to the list of default inspections so you don't need to do anything to add it if you're running a relatively recent Firepower version. Here's my list from a running-config on 6.4.0.4 (with no overriding entries in the Flexconfig list):

policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect netbios 
  inspect tftp 
  inspect ip-options 
  inspect icmp 
  inspect icmp error 
  inspect sip

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card