Using application based access rules in FTD

Chess Norris · ‎11-07-2022

Hello,

After migrating a couple of ASA firewalls to FTD, I'm thinking about start using application rules instead of traditional port based rules, but I have a couple of questions regarding this.

For example, if I would like to allow outgoing DNS traffic, should I use both DNS as the application and UDP/TCP port 53, or should I leave the ports to any?

A similar question about URL filter rules. Should I combine the HTTP/HTTPS application with TCP port 80 & 443 or just leave the port to any?

Is there any general recommendations when I should not use application rules and instead only use port based rules?

Thanks
/Chess

Rob Ingram · ‎11-07-2022

@Chess Norris the cisco documentation examples I've seen just use the application in the ACP rule. However, if you define the application and port, you ensure that, for example the application http is running on port 80 only.

You may wish to use the ports in the Access Control rules to save unneccesary Layer 5-7 inspection. Cisco recommendations for a ruleset are block L1-L4 first, followed by L1-L4 trust rules, followed by L5-L7 explict blocks and followed by L1-L7 allow rules. This reduces time traffic will be inspected.

Chess Norris · ‎11-07-2022

Great explanation, thanks Rob. Do you happen to have a link to those Cisco recomendations?

Thanks

/Chess

Rob Ingram · ‎11-07-2022

@Chess Norris there is/was an old Cisco guide called "NGFW Policy Order of operations" that covered this, though the old link is dead. Some google skills might find it.

Chess Norris · ‎11-07-2022

Thanks again. The document is available here, but I think you need to be a member to download the PDF file. https://www.scribd.com/document/460583035/NGFW-Policy-Order-of-Operations-pdf

I found a power point presentation from Cisco live that have a chapter on NGFW Rule expansion and optimization which might be similair https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2020/pdf/BRKSEC-3455.pdf

/Chess

Marius Gunnerud · ‎11-07-2022

My recommendation is to use the application match sparingly. This match is done on what is contained in the packet header and this is sometimes not matched correctly by FTD / SNORT. I have experienced several instances where traffic starts dropping due to a database update on the FTD that causes traffic to no longer match on a ACP rule that is matching on application, the reason for this is because SNORT classifies the application incorrectly.

So if you do use application for all your rules, just be aware that you will most likely run into this issue at some point.

--
Please remember to select a correct answer and rate helpful posts

Chess Norris · ‎11-08-2022

Thanks Marius. How about URL filtering rules? Would it be any benefits using application matching on those kind of rules? There is an example here https://rayka-co.com/lesson/cisco-ftd-url-filtering/ where they select HTTP and HTTPS as application for URL filtering rules.

/Chess

Marius Gunnerud · ‎11-09-2022

I would think that standard URL rules for accessing websites would be "safe" to use application to match on http and/or https.

I have usually only used application when the application uses a lot of ports which are not all known to me or continually change or generally is difficult to match purely on port number (one example would be Facebook chat). I am sure others have different views on this, but this is what I normally do.

--
Please remember to select a correct answer and rate helpful posts

Marius Gunnerud · ‎11-09-2022

Here is a typical example that I just came across at work, where HTTPS traffic is being classified as NTP when using application matching. There is infact a bug for this.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwc25920

--
Please remember to select a correct answer and rate helpful posts