Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1029
Views
0
Helpful
0
Replies

Suggestion on creating Internet access Policy

Brad_Shawh
Level 1
Level 1

‎01-13-2021 06:14 AM

We are using ASA and Firepower for internet filtering in Data Center. Our requirement is to control internet access on 'Need basis' only -- Allow what is required and block everything else, this includes the servers.

 

So far so good. We are trying to follow best practice of blocking everything on Firewall rather than FP, but are running into problem with fqdns which are associated with multiple IP Addresses, or the IP addresses (microsoft.com) that keep changing. So our FQDN based objects aren't practical and ASA is not reliable with application filtering.

 

So, what are our options keeping in mind we still need to allow only what is required and block everything else, should we allow everything (for an IP a.b.c.d) on Firewall but perform filtering on Firepower?

 

So, the policy on Firewall is

 

Source : a.b.c.d, Destination : Any, Action : Allow

 

On Firepower

 

Source a.b.c.d, Destination : (Application : Azure) : Action : Allow

Source a.b.c.d, Destination : Any : Action : Block.

 

Is it OK? 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card