View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0168 - ASA FirePower Application Filtering (Part 1)

Rating: 
5
Average: 5 (4 votes)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
The video demonstrates Cisco ASA FirePower capability to perform traffic filtering based on application and application categories. Some of the applications used in our scenarios are RDP, Bit Torrent, Facebook, and Social Networking. We will also touch upon the significance of HTTPS traffic and how it affects FirePower capability to analyze traffic.
 
Part 1 of this video goes through access control rules configuration of our lab scenarios
 
Topic:
  • Application Type and Category Filtering 
  • Application Filter Object
  • Access Control Policy and Rules
  • Non-Default RDP Port
  • Bit Torrent
  • Facebook and Social Networking

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.

7 comments

How does we can creeate layer7 rate limit policies? Like Cisco CX...

Don't believe that is available on FirePower currently, unfortunately.

thanks for this interesting video ;

For most of our customers, ASA FP is added to an existing ASA environment, so with an existing set of ASA rules ; and in most cases too, this ASA to ASA+FP migration is performed first, to add the IPS FP function ;

As it is not always easy nor wished to migrate all existing ASA rules towards FP rules (in the FP Access Control Policy), we face situations where we can have 2 set of rules : 1 in ASA and 1 in FP because, apart from the FP IPS fuction, the included FP AVC function can be really useful to remove the limitations of basic L3/L4 ASA functions

Questions :
1) if we have an ASA rule that denies a flow and an FP rule which allows this same flow,
a) will ASA redirect this flow request to FP for Analysis ? I guess the answer is no ;
b) if yes, will the flow be finally allowed by the ASA end whether FP trust it ?

2) if we have an ASA rule that allows all flows from Inside to Outside and an FP rule which explicitely and only allows Office365 Applications flows without any explicit FP deny rule for the rest of detected applications :
a) will the Office365 flow be allowed by the ASA whether FP trust it ?
b) will the other non Office365 applications detected by FP be implicitely denied by the FP and so by the ASA ?
the question here is to know if FP has an implicit deny rule at the end of its Access Control Policy as it is the case in the ASA rule

thanks again for your videos

1a) No since the packet is processed and dropped first by the interface ACL
2a) Yes
2b) No, everything else will also be allowed

ASA and FP work independently when it comes to access control. The traffic first need to be allowed by inbound ASA ACL before it gets redirected to FP. FP then pass the traffic through it own access policy which can result in allow or deny. If allowed, the traffic returns to the ASA and be processed by other functions (eg. routing, NAT, policy-map etc.) and eventually outbound ASA ACL. ASA and FP have absolutely no knowledge of each other access policy.

There is also no concept of implicit deny on FP. You need to explicitly define a default action of access control policy.

thanks a lot for this clear answer that confirms my own ideas

Great videos! are application filters "dynamic" meaning do they get updated by Cisco with new apps? thank you!

Where do you see app filter "dynamic" being mentioned?

Poll

Vote for the Next Video Series