To finalize configuration and actually pass traffic through the FTD appliance, an access control policy is needed. This would be similar to an access control list that is applied to an ASA…in the Cisco world.
Access Control Policy is a policy that pulls together rule sets for L3/L4,L7(Application), URL filtering, IPS/IDS, File/AMP (Advanced Malware Protection). This is one of my favorite aspects of FMC, you can create a single policy and apply it to one or multiple devices. When making a policy change, it is pushed to all associated devices. The days of managing each device individually are over 🙂
Cisco’s definition…
“Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed) network traffic. Especially useful in multidomain deployments, you can nest access control policies, where each policy inherits the rules and settings from an ancestor (or base) policy. You can enforce this inheritance, or allow lower-level policies to override their ancestors. Each managed device can be targeted by one access control policy”
Access Control Policy Configuration
In the following videos you will learn how to setup the different components that make up an access control policy. We will build out different rules sets and tie them back to a single Access Control Policy.
*Before we start on access policy, please check out the following note on object management.*
Reusable Objects- You will see in the following videos a reference to a DNS object. An object is simply a pointer or hostname description for a network, host etc. Create these by going to Objects->Object Management.
Access Control Policy( L3/L4 rules) – This video highlights configuration of L3/L4 firewall rules by blocking ICMP traffic.
Access Control Policy (Application rules) – In this video you will see how to configure application based firewall rules.
Access Control Policy (URL Filtering rules)– This video shows how to configure URL Filtering.
Access Control Policy (File Policy/AMP) – This video shows how to configure a policy to block malware . Use the file policy to permit/deny certain file types and/or detect/prevent malicious files(Malware).
Access Control Policy (IPS Policy) – In this video learn how to configure a balanced IPS policy.
Links
Now that we have covered ACP, I wanted to share a cool optional policy that can reduce overhead and increase performance on FTD.
PreFilter Policy – Have you ever run into that traffic that doesn’t need advanced inspection? A few examples could be VPN tunnels, encrypted traffic(that your not decrypting) and blocking IPs/networks.
To implement, create a PreFilter policy and associate it to the an ACP.
Per Cisco.com “Prefiltering is the first phase of access control, before the system performs more resource-intensive evaluation. Prefilter policies deployed to managed devices use limited outer-header criteria to quickly handle traffic.
Contrasted with the rest of access control, which uses inner headers and has more robust inspection capabilities, prefiltering is simple, fast, and early.
Configure prefiltering if you want to:
- Improve performance— The sooner you exclude traffic that does not require inspection, the better. You can fastpath or block certain types of plaintext, passthrough tunnels based on their outer encapsulation headers, without inspecting their encapsulated connections. You can also fastpath or block any other connections that benefit from early handling.
- Tailor deep inspection to encapsulated traffic—You can rezone certain types of tunnels, so that you can later handle their encapsulated connections using the same inspection criteria. Rezoning is necessary because after prefiltering, access control uses inner headers.” (Cisco.com- see exact link below)
Links
I hope you have found these blog posts helpful. I will continue to update my page with more details on FirePOWER. Please post any questions or comments in comments section below.
