Solved: Re: AnyConnect VPN - Traffic filter vs Client Firewall Rules

raymng · ‎07-26-2024

Hi there,

I am using a Firepower 3110 to setup Remote VPN services for AnyConnect users.

When I editing a VPN group policy (from FMC web UI), there is the "Client Firewall Rules" setting under the "AnyConnect" tab, and the "Traffic Filter" under the 'Advanced' tab in the group policy. Both appears to associate the ACL to the settings.

After reading the Cisco doc, I am still not sure understanding them fully.

It seems the 'traffic filter' is to control inbound traffic from AnyConnet client to inside network over the VPN tunnel, right?

And the "Client Firewall rules" is used to control traffic from AnyConnect client to other hosts when on VPN connection, and when not on VPN connection?
Am I understanding this correctly? If not, would someone give me a brief use-case so I can tell when to use what?

Thanks in advance.

MHM Cisco World · ‎07-26-2024

traffic filter <<- there is no direction in filter' if ypu config traffic filter then traffic will perimt or deny using IP you use in ACL' and this apply in FTD itself

Cleint firewall rule<<- this rule push to client and use by client not ftd to filter traffic.

MHM

View solution in original post

ccieexpert · ‎07-26-2024

yes that is right.

see this for more details on the client side rules:

https://community.cisco.com/t5/security-knowledge-base/how-are-firewall-policies-handled-by-the-asa-and-the-anyconnect/ta-p/3119582

MHM Cisco World · ‎07-26-2024

traffic filter <<- there is no direction in filter' if ypu config traffic filter then traffic will perimt or deny using IP you use in ACL' and this apply in FTD itself

Cleint firewall rule<<- this rule push to client and use by client not ftd to filter traffic.

MHM