Tony   This is a very common question, so lets start from basics.   A Firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules, lets call them Access Lists.   So, using ACLs we can ONLY allow or deny traffic, and default action is implicit deny.   An Intrusion Prevention System (IPS) is a network security/threat prevention technology that examines network traffic flows to detect and prevent vulnerability exploits.   ASA is a Firewall while Firepower is an IPS. How does ASA and Firepower work together?   Suppose in your network, you are allowing the following traffic   Inside Network 192.168.0.0/16 can talk to DMZ Network 172.16.0.0/16 Inside Network 192.168.0.0/16 can access Internet.   Generally speaking, what traffic would you inspect for malware, viruses etc, Inside to DMZ? No. You would want to inspect traffic coming from, or destined to Internet (outside).   Using a special access list on ASA (*1), a certain traffic (in this case, Inside to Outside) will be redirected to Firepower for inspection (remember, nothing to do with allowing or denying that traffic on the network)   So, what is Access Control Policy? Traffic from from Inside to Outside has reached Firepower for inspection, ACP kicks in.   While an Access Control List can only allow or deny traffic, Access Control Policy can   Rule 1 : Deny subnet 192.168.0.0/16 from accessing any SSH connection AND log it Rule 2 : Allow Subnet 192.168.1.0/24 (*2) to access government URLs AND send it Malware inspection Rule 3 : Interactively Block (*3) Subnet 192.168.1.0/24 (*2) from accessing Shopping URLs and sent for Malware inspection policy 1 Rule 4 : Deny Subnet 192.168.2.0/24 (*2) from accessing any FTP server and send traffic to Malware inspection policy 2 Rule 5 : Allow Outlook Traffic (192.168.4.0/24) (*2) and send it to 'File Policy' for inspection   File Policy could be : If Office files are detected, Block Upload. MP3 files, block. Exe files block AND send for inspection etc   Rule 6 : Default Action : Block, Network Discovery, Trust or IPS (MOSTLY, you would NEVER want to use "Block" as default action in an ACP :) :) )     **Important** While an ACL on a Firewall can only allow or deny traffic, ACP's actions are: Allow, Trust (No more inspection), Monitor (logging only), Block, Block with Reset (sent an RST packet), Interactive Block or Interactive Block with Reset     (*1) You can find it using sh run class-map sfr (*2) These subnets can only be a part of subset that is being redirected to Firepower, in this case, 192.168.0.0/24, anything else you try, will never be inspected, because the traffic won't even come to FP. (*3) Interactive Block works as 'Allow'. but gives a warning page before a site is allowed. Warning page "Hello, the website you are accessing is classified as "Shopping", connections to this site are monitored" ... View more