Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
8385
Views
0
Helpful
0
Comments

Pre-Filter Policy Configuration on Firepower Threat Defense

Meddane
VIP
VIP
‎08-17-2022 10:14 AM

Pre-filtering is the first phase of access control, before the system performs more resource-intensive evaluation. It is used to bypass or block traffic that does not require further inspection by access control policy. This process occurs without adding significant overhead to the device.

Pre-Filtering is the optional first step of packet flow on Firepower Threat Defense. A pre-filter policy contains rules that match simple values, like IP’s and ports, L3 and L4 informations. There is no deep packet inspection in a pre-filter policy. We can compare the Prefilter rules to ACL on ASA.

One of the reasons to use this is to quickly allow or deny traffic, without deeper inspection. For example, we don’t allow FTP traffic on your network. You could create a pre-filter policy that blocks TCP port 22 or 21. This means the traffic is not passed to the SNORT engine or check a malware policy. It blocks the traffic without wasting resources on FTD.

 We want also to allow SSH traffic for administrator without further inspection. This traffic can be put on the Fast-Path. The fast-path allows traffic while bypassing deeper inspection. You could add this to the pre-filter policy with an action of fast-path, saving resources.

Pre-filtering is only supported on Firepower Threat Defense. ASA with FirePOWER Services does not support pre-filter policies, instead we use ACL to bypass the snort engine.

The Action can be set to:

  • Analyze: This will pass traffic to the ACP for deep analysis
  • Block: Drops traffic that matches the rule
  • Fastpath: Adds traffic to the fast path. This traffic bypasses any extra inspections

Policies are a series of rules, as shown below. There are two types of rule available:

  • Prefilter: This is a normal ACL style rule, used to block or fastpath traffic. Traffic can also be passed to the ACP for deep inspection
  • Tunnel: These rules block, fast-path, or rezone a plaintext tunnel

Each policy has a default action. The default action only applies to tunnel traffic. All other unmatched traffic is sent to the ACP for deep analysis.

Meddane_0-1660756112442.png

Before testing the prefilter feature, from the Inside PC, ftp to the DMZ Server 192.168.10.90, the FTD access should be successful.

Meddane_1-1660756112451.png

Navigate to Policies > Access Control > Prefilter.

Firepower includes a default policy called Default Prefilter Policy. This policy passes all traffic through to ACP for deep inspection. Firepower uses this policy by default when you create a new ACP.

The default policy can only have limited changes made. You can change the default action and the logging settings, but you cannot add new rules. The best practice is not to change the default policy at all, instead create a custom prefilter policy.

Create a custom policy by clicking New Policy.

Meddane_2-1660756112457.png

Enter the name Prefilter-Policy and click Save.

Meddane_3-1660756112461.png

Click Add Prefilter Rule.

Meddane_4-1660756112471.png

In the Name field enter the FTP-Rule, in the Action field select the Block action.

Meddane_5-1660756112485.png

Meddane_6-1660756112498.png

From the Interface Objects tab, under the Available Interface Objects, select the zone_inside and click Add to Source. For the Destination Interface Objects, select the zone_dmz and click Add to Destination.

Meddane_7-1660756112512.png

In the Logging tab, check the Log at Beginning of Connection check boxes and click Save.

Meddane_8-1660756112525.png

Click Save.

Meddane_9-1660756112540.png

Meddane_10-1660756112552.png

Navigate to Policies > Access Control > Access Control Policy.

Edit the Access Control Policy FTD-ACP-Training.

Meddane_11-1660756112560.png

Click the Default Prefilter Policy.

Meddane_12-1660756112578.png

You should see the Prefilter Policy windows appears, select the Prefilter Policy created previously and apply it to the ACP. Click OK.

Meddane_13-1660756112582.png

Meddane_14-1660756112587.png

Click the Save button to save the changes of the ACP. Then deploy the ACP to the Managed Device.

Meddane_15-1660756112605.png

Meddane_16-1660756112624.png

Meddane_17-1660756112628.png

From the Inside PC, ftp to the DMZ Server 192.168.10.90.

Meddane_18-1660756112631.png

From the FMC, navigate to the Analysis > Connections > Events page. 
Click Table View of Connection Events. You should see the IP address 192.168.133.30 as the Initiator IP, the IP address 192.168.10.90 ad the Responder IP, the Action of Block, the destination Port 21 (21) / TCP.

Meddane_19-1660756112661.png

Optionally you can filter the logs to display only the events that include the Responder IP 192.168.10.90 by clicking the Edit Search.

Meddane_20-1660756112681.png

You should see only the events related to the Responder IP 192.168.10.90.

Meddane_21-1660756112704.png

In the Tunnel/Prefilter Rules, you should see the FTP-Rule applied to the FTP traffic.

Meddane_22-1660756112722.png

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents