Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
700
Views
10
Helpful
5
Replies

LocalFW ACL Vs Firesight Pushed ACL

Go to solution
orielrose
Level 1
Level 1

‎08-27-2016 03:34 PM - edited ‎03-12-2019 06:07 AM

Hi Guys

If we have a Network policy pushed from Firesight to ASA and it has got a local policy applied on the interface, which would take precedence ?

Also is there any way we could check on the ASA what policy it has received from Firesight ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2016 07:50 AM

How are you pushing a policy to the ASA from Firesight?

Do you mean you have a policy pushed to the ASA's FirePOWER service module?

In that case, they are quite separate things. The ASA evaluates ingress and egress interface ACLs when the packet is presented to the interface. The service module evaluates the flow against its policies when it receives the packet from the parent ASA as part of the policy-map.

So it's not one or the other, it's both and the net result is their cumulative policy when applied in series (like a Boolean logical "AND").

See this link for a picture:

https://ccie-or-null.net/2014/12/10/packet-flow-with-firepower/

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to orielrose

‎08-28-2016 02:23 PM

You're welcome.

They are complimentary.

Think of the ASA ACL as your first tool in blocking intruders. Prevent random port scanners and such.

For those incoming connections on legitimate ports that are permitted by an ACL, the FirePOWER module can then do a payload inspection at layer 4+ to check for protocol conformance and malicious content.

Please rate useful replies and mark your question as answered when it has been.

View solution in original post

5 Replies 5

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-28-2016 07:50 AM

How are you pushing a policy to the ASA from Firesight?

Do you mean you have a policy pushed to the ASA's FirePOWER service module?

In that case, they are quite separate things. The ASA evaluates ingress and egress interface ACLs when the packet is presented to the interface. The service module evaluates the flow against its policies when it receives the packet from the parent ASA as part of the policy-map.

So it's not one or the other, it's both and the net result is their cumulative policy when applied in series (like a Boolean logical "AND").

See this link for a picture:

https://ccie-or-null.net/2014/12/10/packet-flow-with-firepower/

Go to solution
orielrose
Level 1
Level 1
In response to Marvin Rhoads

‎08-28-2016 09:40 AM

Marvin

Thank you so much that makes it really clear. One more question just to double check, if we have Firepower Access-control policy we really don't need ASA ACE ? I don't see advantage of filtering something twice ?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to orielrose

‎08-28-2016 02:23 PM

You're welcome.

They are complimentary.

Think of the ASA ACL as your first tool in blocking intruders. Prevent random port scanners and such.

For those incoming connections on legitimate ports that are permitted by an ACL, the FirePOWER module can then do a payload inspection at layer 4+ to check for protocol conformance and malicious content.

Please rate useful replies and mark your question as answered when it has been.

Go to solution
pmlam3274
Level 1
Level 1
In response to Marvin Rhoads

‎11-18-2016 10:59 AM

hi i have the similar question about the ACL policy under firesight.  How granular does the ACL in the firesight has to be?  should i duplicate the exact copy (line by line) of the ACL in the ASA to the firesight?  

0 Helpful

Go to solution
Oliver Kaiser
Level 7
Level 7
In response to pmlam3274

‎11-19-2016 03:00 AM

They dont have to be as granular as your asa ACLs. In case you want to block malware / files using File Policy, block URL categories etc you might wanna use a single rule for all your traffic or a more granular one if you want to enable IPS for certain flows.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card