Thanks so much! for a new out of the box Firepower deployment, setting the "network discovery" default action in the ACP would allow all Interzone traffic? meaning traffic from the outside (internet) can access something in the inside? or does Firepower has a default Deny for interzone traffic? thanks again!
Hi, with a Network Discovery or Intrusion Policy, all traffic is allowed unless IPS rule blocks, very much like an IDS/IPS. With the default action set to Block, then it's more like a firewall. By default, permit inter and intra interface traffic is enabled, unlike the ASA. You would require to configure ACP rules to deny/permit traffic bases on Zone/Vlan/Network/etc. Here is some configuration example. www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html
@@RogueDire Yes, if your firepower deployment is a the Internet edge. In a datacenter, it would depend on what ACP rules are configured. If you only wanted to allow certain traffic, then create rules to only allows that traffic and then Block everything else. If you want to allow all traffic but inspect via IPS policy, then you could leverage Intrusion as your default action. There is no right/wrong answer or deployment. It just depends on what you require from a security policy.
i cant believe we live in a country where we can hear this beautiful knowledge
Thanks so much! for a new out of the box Firepower deployment, setting the "network discovery" default action in the ACP would allow all Interzone traffic? meaning traffic from the outside (internet) can access something in the inside? or does Firepower has a default Deny for interzone traffic? thanks again!
Hi, with a Network Discovery or Intrusion Policy, all traffic is allowed unless IPS rule blocks, very much like an IDS/IPS. With the default action set to Block, then it's more like a firewall.
By default, permit inter and intra interface traffic is enabled, unlike the ASA.
You would require to configure ACP rules to deny/permit traffic bases on Zone/Vlan/Network/etc.
Here is some configuration example.
www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200908-configuring-firepower-threat-defense-int.html
@@thepoweroffirepower-ciscos3129 then we need to make sure default action is always set to block from the initial deployment. Thank you
@@RogueDire Yes, if your firepower deployment is a the Internet edge. In a datacenter, it would depend on what ACP rules are configured. If you only wanted to allow certain traffic, then create rules to only allows that traffic and then Block everything else.
If you want to allow all traffic but inspect via IPS policy, then you could leverage Intrusion as your default action.
There is no right/wrong answer or deployment. It just depends on what you require from a security policy.
Hello,
Thanks for this video.
Pleass How to backup an FTD configurations prior to 6.3 version?
Hi Yannick, this functionality was added in 6.3. Prior to this was a manual re-configuration of Interfaces, etc.
How do I register for the live sessions (partner)
Hi, there are live sessions but only in select cities. Reach out to your local Cisco CSE asking if there are events in your area. Thanks.