Where Networking and Security Collide

Category: FirePower

How to Deploy FMC/FTD part 2 – Access Control Policies

To finalize configuration and actually pass traffic through the FTD appliance,  an access control policy is needed.  This would be similar to an access control list that is applied to an ASA…in the Cisco world.

Access Control Policy is a policy that pulls together rule sets for L3/L4,L7(Application), URL filtering, IPS/IDS, File/AMP (Advanced Malware Protection).  This is one of my favorite aspects of FMC, you can create a single policy and apply it to one or multiple devices.  When making a policy change, it is pushed to all associated devices.  The days of managing each device individually are over 🙂

Cisco’s definition…

“Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed) network traffic. Especially useful in multidomain deployments, you can nest access control policies, where each policy inherits the rules and settings from an ancestor (or base) policy. You can enforce this inheritance, or allow lower-level policies to override their ancestors. Each managed device can be targeted by one access control policy”

Access Control Policy Configuration

In the following videos you will learn how to setup the different components that make up an access control policy. We will build out different rules sets and tie them back to a single Access Control Policy.

*Before we start on access policy, please check out the following note on object management.*

Reusable Objects-  You will see in the following videos a reference to a DNS object. An object is simply a pointer or hostname description for a network, host etc. Create these by going to Objects->Object Management.

Access Control Policy( L3/L4 rules) – This video highlights configuration of L3/L4 firewall rules by blocking ICMP traffic.

Access Control Policy (Application rules) – In this video you will see how to configure application based firewall rules.

Access Control Policy (URL Filtering rules)– This video shows how to configure URL Filtering.

Access Control Policy (File Policy/AMP) –   This video shows how to configure a policy to block malware . Use the file policy to permit/deny certain file types and/or detect/prevent malicious files(Malware).

Access Control Policy (IPS Policy) –  In this video learn how to configure a balanced IPS policy.


Now that we have covered ACP, I wanted to share a cool optional policy that can reduce overhead and increase performance on FTD.

PreFilter Policy – Have you ever run into that traffic that doesn’t need advanced inspection? A few examples could be VPN tunnels, encrypted traffic(that your not decrypting) and blocking IPs/networks.

To implement, create a PreFilter policy and associate it to the an ACP.

Per Cisco.com “Prefiltering is the first phase of access control, before the system performs more resource-intensive evaluation. Prefilter policies deployed to managed devices use limited outer-header criteria to quickly handle traffic.

Contrasted with the rest of access control, which uses inner headers and has more robust inspection capabilities, prefiltering is simple, fast, and early.

Configure prefiltering if you want to:

  • Improve performance— The sooner you exclude traffic that does not require inspection, the better. You can fastpath or block certain types of plaintext, passthrough tunnels based on their outer encapsulation headers, without inspecting their encapsulated connections. You can also fastpath or block any other connections that benefit from early handling.
  • Tailor deep inspection to encapsulated traffic—You can rezone certain types of tunnels, so that you can later handle their encapsulated connections using the same inspection criteria. Rezoning is necessary because after prefiltering, access control uses inner headers.” (Cisco.com- see exact link below)



I hope you have found these blog posts helpful. I will continue to update my page with more details on FirePOWER. Please post any questions or comments in comments section below.

How to Deploy FirePOWER Management Center and FirePOWER Threat Defense – Part 1

Looking for instructions on how-to deploy FirePOWER Management Center(FMC) and FirePOWER Threat Defense(FTD)?  Then you have come to the right place!  The following blog post/videos will walk through a start to finish vFMC and vFTD perimeter deployment (many of these principles can apply to physical deployments).  If you are not familiar with FMC/FTD check out my previous blog post.

Before you get started…I want to send a shout out to Jason Maynard Cisco Security CSE in Canada, he created the videos below…. Check out his other content here.

Feel free to use the comments section for questions or feedback! Let’s get started!

  1. FirePOWER management/FTD appliance  – VMware Deployment  –  This video shows the initial steps in deploying vFMC and vFTD.



2. vFTD initial configuration  This video outlines configuration of vFTD interfaces and FMC management ip address (pointer to FMC responsible for managing the FTD appliance).

There is a two step process to manage FTD from FMC.

  1. “configure manager [IP of FMC] [key]” -Via CLI on the FTD appliance, point FTD appliance to FMC  (note the password, you will need it in the next step)
  2. Add device – via GUI on FMC (see step 3)



3. vFMC initial configuration/register vFTD appliance –  learn how to apply vFMC management ip address settings, licensing, etc.



4. FTD interface configuration  –  The following video shows the configuration of FTD routed interfaces.  See the link below to learn more interface configuration options.



5. (Optional) Setup TAP interface (i.e. connect to span port)-  A potential use case for this configuration is a branch site where I may want to span my internal data vlan(capture east/west traffic) and send it to my FTD appliance.  The FTD appliance will then inspect traffic in/out(routed) and east/west(passive interface).


6. FTD Routing Configuration (Static/Dynamic Routing)-  This video details inbound/outbound routing configuration.



7. FTD NAT/PAT Configuration  –  The video highlights PAT (Port Address translation) configuration.  PAT is typically used when there are many internal devices that need to share one public IP address .  See the link below to learn more about NAT/PAT and configuration options.



8. FTD DHCP Server Configuration – This video shows how to setup a DHCP server for an inside network behind  a FTD firewall.  This configuration is typically used in a branch site or lab where a DHCP server is unavailable.  Check out the link below to learn how to redirect DHCP/DNS request to a remote DHCP server.



9. FTD Platform Policy -When deploying network devices it is usually a best practice to configure management, time, access control settings etc.  The following video highlights how to configure ( ssh access, icmp,smtp, snmp,syslog, time synchronization, timeouts etc. )

With FMC, there is the option to create a single policy and role it out to one or many devices.  In my opinion, this greatly simplifies configuration.

Ok we are almost there….before actually routing traffic through the FTD appliance an Access Control Policy must first be created.  This policy pulls together rule sets for L3/L4,L7(Application), URL filtering, IPS/IDS , and File/AMP (Advanced Malware Protection).

Before we jump into ACP configuration…Take a break, grab some coffee, and see you over in my next blog post!

Additional Links