Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
774
Views
2
Helpful
4
Replies

What happens to an L7 ACP rule when IPS option is not enabled.

Go to solution
PacketSpartan
Level 1
Level 1

‎08-30-2024 09:46 AM

There might an obvious answer to this 

My understanding is that, when you create an l7 ACP entry on Firepower, Few packets are sent through the DAQ engine to identify the app so it can evaluate the l7 ACL. Then based on l7 Evaulation its allowed or blocked 

I assume when if you dont enable the IPS option under the rule then it simply does not do any IPS (same as File policy). 

is my understanding correct ?

 

 

 

CCNA R&S
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 09:50 AM

 traffic is pass to snort' snort will detect APP ID then ues this ID in L7 rule deny or allow.

If IPS is enable the ACP L7 with app id will also inspect by ips allow or deny

MHM

View solution in original post

0 Helpful
4 Replies 4

Go to solution
MHM Cisco World
VIP
VIP

‎08-30-2024 09:50 AM

 traffic is pass to snort' snort will detect APP ID then ues this ID in L7 rule deny or allow.

If IPS is enable the ACP L7 with app id will also inspect by ips allow or deny

MHM

0 Helpful

Go to solution
PacketSpartan
Level 1
Level 1
In response to MHM Cisco World

‎08-30-2024 09:52 AM

Cheers, 

This was my understanding

CCNA R&S

Go to solution
ccieexpert
VIP
VIP

‎08-30-2024 09:52 AM

All packets are send to DAQ (unless you are using ASA with firepower services).

If you put a trust rule, then it will bypass most of it, but it still uses resources as it is still received by SNORT.

there is pre-filter option to bypass SNORT completely for best performance for trusted flows.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214572-firepower-data-path-troubleshooting-ove.html#anc13

 

0 Helpful

Go to solution
PacketSpartan
Level 1
Level 1
In response to ccieexpert

‎08-30-2024 09:58 AM

Cheers,  Thanks for clarifiying it.

Thanks, We've just moved over from ASAs with SFR to Full FTDs, thus making sure we understand the packet flow. Also it doesnt help when we SNORT/DAQ/IPS get used to descripe the same process (sometimes). 

CCNA R&S
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card