Solved: question about security basics of inspection and returning traffic

baselzind · ‎09-09-2019

just to double check my understanding of rules and inspection , when i create a rule from inside to outside any any for a user , if the user is browsing the net he will be able to get data back from the internet because http and https inspection is enabled by default , but if he sends out a traffic for lets say RTP or smtp will he be able to get data back from outside if the are not listed in default inspection? like incoming data response for smtp and RTP will be blocked?

Marvin Rhoads · ‎09-09-2019

Inspection is not required for a tcp or udp protocol to work. The stateful nature of ASA and Firepower firewalls allows the return traffic in all cases.

Inspection only checks protocol conformance in the LINA (ASA) section of the code (for FTD devices) or in the ASA itself for non-FTD.

A base ASA or older versions of FTD did not inspect icmp by default so we add icmp (its own protocol distinct from tcp or udp) as an inspection so that the firewall build a "connection" record (even though it's a connectionless protocol) for the icmp traffic and knows to allow the return packets.

View solution in original post

Marvin Rhoads · ‎09-09-2019

Inspection is not required for a tcp or udp protocol to work. The stateful nature of ASA and Firepower firewalls allows the return traffic in all cases.

Inspection only checks protocol conformance in the LINA (ASA) section of the code (for FTD devices) or in the ASA itself for non-FTD.

A base ASA or older versions of FTD did not inspect icmp by default so we add icmp (its own protocol distinct from tcp or udp) as an inspection so that the firewall build a "connection" record (even though it's a connectionless protocol) for the icmp traffic and knows to allow the return packets.