An administrator is working on a migration from Cisco ASA to the Cisco FTD appliance and needs to test the rules without disrupting the traffic. Which policy type should be used to configure the ASA rules during this phase of the migration?
I change my mind to A after reading this document --> https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/prefiltering_and_prefilter_policies.html
Fastpath vs Trust discussion
Fastpath and there for prefilter wins because it bypasses all further inspection and handling instead of only exempt from deep inspection and discovery, aka Trust function in ACL.
On top of that you only have to configure it once in the ACL policy instead on per rule base
Both Prefilter and ACP are correct here, there are a bunch of discussions on the community around this topic, generally speaking I would probably go with ACP, but I believe that by default the migration tool will migrate the rules to prefilter and that's the answer they are going for here.
https://community.cisco.com/t5/network-security/firepower-prefilter-or-access-control-policy/td-p/3832096
https://community.cisco.com/t5/network-security/asa-to-ftd-policy-migration-best-practice/td-p/3081218
https://community.cisco.com/t5/network-security/asa-ftd-migration-prefilter-policy-or-access-control-policy/td-p/4587384
I would use ACP in this case because you can "Allow" or "Trust" the traffic in the rules and you can turn off IPS if needed or use IDS which will not disrupt the traffic but personally to test the rules, I would allow the traffic with IDS added to the rules, and of course logging enabled. Prefilter would bypass inspection and just use the LINA process so it would be useless to keep the rules there and not get the benefits of using a FTD.
https://community.cisco.com/t5/network-security/asa-ftd-migration-prefilter-policy-or-access-control-policy/td-p/4587384
Based on the Cisco community thread you can multi-select all of your rules and edit common attributes in a single action, including the inspection policy. This would definitely be handy when you have hundreds of rules
When you migrate from ASA to FTD you use prefilter. The question states: "to test the rules without disrupting the traffic" this is done with prefilter. With prefilter you only have rules based on L3 and L4, same as ASA. This is also in cisco's whitepaper regarding migration from ASA to FTD
Im not 100% sure but I would think ACP would be better than Prefilter... With ACP you set the action to "Monitor" wheresa Prefilter you can only fastpath or block... Fastpath could be an option for Prefilter but this only bypasses SNORT... "Monitor" with ACP sounds better.
ACP—Every access control rule has an action that determines how the system handles and logs matching traffic. You can either perform an allow, trust, monitor, block, or block with reset action on an access control rule.
Prefilter—A rule's action determines how the system handles and logs matching traffic. You can either perform a fastpath and block.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
rbrain
3 days, 22 hours agoKris92
3 months, 3 weeks agogc999
11 months, 4 weeks agoSegaMasterSystemAdmin
1 year agoSegaMasterSystemAdmin
1 year agoInitial14
1 year, 2 months agoInitial14
1 year, 1 month agoWeyland
1 year, 7 months agogc999
11 months, 4 weeks agoBorZol
1 year, 9 months agoxziomal9
1 year, 12 months agokj2022
2 years, 1 month agoGrandslam
2 years, 2 months agoGabranch
1 year agoSanchezEldorado
2 years, 1 month ago