We are using ASA and Firepower for internet filtering in Data Center. Our requirement is to control internet access on 'Need basis' only -- Allow what is required and block everything else, this includes the servers.
So far so good. We are trying to follow best practice of blocking everything on Firewall rather than FP, but are running into problem with fqdns which are associated with multiple IP Addresses, or the IP addresses (microsoft.com) that keep changing. So our FQDN based objects aren't practical and ASA is not reliable with application filtering.
So, what are our options keeping in mind we still need to allow only what is required and block everything else, should we allow everything (for an IP a.b.c.d) on Firewall but perform filtering on Firepower?
So, the policy on Firewall is
Source : a.b.c.d, Destination : Any, Action : Allow
On Firepower
Source a.b.c.d, Destination : (Application : Azure) : Action : Allow
Source a.b.c.d, Destination : Any : Action : Block.
Is it OK?