collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: FTD - Access Control Policy - Implicit Deny any any  (Read 23878 times)

Offline LoboPR

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
  • Certification: CCNP
FTD - Access Control Policy - Implicit Deny any any
« on: April 16, 2024, 08:38:01 AM »
Hi,
I come from the ASA side of firewalls. Have a few questions.
1- In the ASA ACL you would have an implicit Deny any any at the end of the ACL. That would block all traffic not explicitly permitted in the ACL. Best practice would be to enter it as an ACE at the last position with the log option.

Is this the same with the ACP on the FTD?

2-With just configuring NAT on the ASA. The traffic from the higher security level can pass to the lever security lever (ex inside (100) outside (0))

On the FTD I notice that the security levels are all level 0 and no place to change this.

Do we have to explicitly permit outgoing traffic before the deny?

Thanks,

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 400
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: FTD - Access Control Policy - Implicit Deny any any
« Reply #1 on: April 18, 2024, 07:45:28 PM »
1. Access Policy in FTD has a configurable default rule at the bottom. You can set it to deny or allow.

2. There is no concept of Security Level in FTD. All interfaces would show as 0 on CLI. You need to create a zone, assign to each interface, and come up with an Access Policy that will control traffic between zone. By default, traffic is not allowed between interfaces.

Offline LoboPR

  • Cisco Newbie
  • *
  • Posts: 2
  • Reputation: 0
  • Certification: CCNP
Re: FTD - Access Control Policy - Implicit Deny any any
« Reply #2 on: April 19, 2024, 11:27:19 AM »
Ok,

So what would be like the best practice:

First Pre-filters - Like you mention on the video training. Then
ACP:
1- Allow inbound traffic to static NAT (inside Servers)
2- Monitor - all Traffic (for discovery)
3- Allow outgoing traffic from users (Url, application, malware and IPS)
4- Deny Any Any
 
Does the stateful feature still apply?
If I allow a packet to go out, would the return traffic make it in?)

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 400
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
Re: FTD - Access Control Policy - Implicit Deny any any
« Reply #3 on: April 21, 2024, 09:13:05 PM »
Pre-filter is like an interface ACL. It can only match IP/Port/Protocol and is stateless so it should only be used to match simple traffic and has rules that are fairly static.

For ACP, traffic is matched by zone pair first so their orders do not really matter. Within the same zone pair, more specific rules should go to the top. ACP is always stateful.

 

Related Topics

  Subject / Started by Replies Last post
2 Replies
17852 Views
Last post August 18, 2013, 05:59:34 PM
by MC
1 Replies
9500 Views
Last post December 15, 2013, 10:43:38 PM
by MC
1 Replies
13989 Views
Last post October 09, 2014, 11:12:34 PM
by MC
0 Replies
9337 Views
Last post October 22, 2015, 01:07:45 AM
by sherief
1 Replies
11293 Views
Last post January 02, 2018, 04:54:56 AM
by MC

SimplePortal 2.3.7 © 2008-2024, SimplePortal