Solved: Where to migrate SFR redirect rules on FTD appliance

jmeetze · ‎02-03-2023

We are migrating from ASA with SFR modules to new FTD appliances. We used the migration tool, but did not select the option to migrate ASA with FPS. After looking over the configuration, I'm wondering if we should have chosen the option to migrate with FPS as our rules for SFR redirect were not migrated. I really don't want to go back and migrate again, so I'm hoping someone can tell me where would be the best place to manually add these rules to our new FTD policy if they are even needed. Should I place them in a prefilter policy with Fastpath as the action? Where would these rules have been placed had I chosen the option to migrate my ASA with FPS?

Thanks in advance!

Marvin Rhoads · ‎02-03-2023

In the Firepower image the old redirect rules for Firepower service module are not required as the Snort engine is fully integrated in the FTD model.

Normally we migrate all ASA rules in an FTD Access Control Policy and only move into prefilter things we want to completely exempt from Snort and Security Intelligence. For example, trusted flows between internal segments or IPsec traffic flowing through the firewall.

View solution in original post

Marvin Rhoads · ‎02-03-2023

In the Firepower image the old redirect rules for Firepower service module are not required as the Snort engine is fully integrated in the FTD model.

Normally we migrate all ASA rules in an FTD Access Control Policy and only move into prefilter things we want to completely exempt from Snort and Security Intelligence. For example, trusted flows between internal segments or IPsec traffic flowing through the firewall.

jmeetze · ‎02-03-2023

Great thanks Marvin. That's what I figured but appreciate you clarifying it for me.