INTRODUCTION

TO
FIREPOWER POLICIES
 Prefilter Policy

Prefiltering is the first phase of access control, before the system performs more resource-intensive
evaluation.
Prefiltering is simple, fast, and early. Prefiltering uses limited outer-header criteria to quickly handle traffic.
Compare this to subsequent evaluation, which uses inner headers and has more robust inspection
capabilities.
Prefilter rule can be set with reference “Interface Objects”, “Networks”, “VLAN Tags”, and “Ports”

Tunnel rule can be set to reference “Interface Objects”, “Tunnel Endpoints”, “VLAN Tags”, “Encapsulation & Ports”

Prefilter action can be set to “Analyze”, “Block”, and “Fastpath”

Fastpath—Exempts matching traffic from all further inspection and control, including access control, identity
requirements, SSL Inspection and rate limiting. Fastpathing a tunnel fastpaths all encapsulated connections.
Block—Blocks matching traffic without further inspection of any kind. Blocking a tunnel blocks all encapsulated
connections.
Analyze—Allows traffic to continue to be analyzed by the rest of access control, using inner headers. If passed by
access control and any related deep inspection, this traffic may also be rate limited. For tunnel rules, enables rezoning
with the Assign Tunnel Zone option.
 SSL Policy
SSL rules provide a granular method of handling encrypted traffic across multiple managed devices, whether
blocking the traffic without further inspection, not decrypting the traffic and inspecting it with access control,
or decrypting the traffic for access control analysis.

Actions:
Do not decrypt: traffic might be exempted from decryption if forbidden i.e. some jurisdiction forbids decrypting
Financial information.
Decrypt - Resign: This is the recommended action for decrypting outgoing traffic.
If traffic matches this rule, the system re-signs the server certificate with pre-defined CA certificate, then
acts as a man-in-the-middle. It creates two TLS/SSL sessions, one between client and managed device, one
between managed device and server. Each session contains different cryptographic session details, and
allows the system to decrypt and re-encrypt traffic.
Decrypt – Known Key: This method of decryption is recommended for incoming traffic because you must
have access to the private key of the destination server.
If traffic matches the rule, and the certificate used to encrypt the traffic matches the certificate associated with the action, the
system uses the appropriate private key to obtain the session encryption and decryption keys.
Block: to terminate the connection, resulting in an error in the client browser.
Block with Reset: to terminate and reset the connection, resulting in an error in the client browser.
The error indicates the connection was reset but does not indicate why.
Monitor: The Monitor action is not designed to permit or deny traffic. Rather, its primary purpose is to force connection logging,
regardless of how matching traffic is eventually handled. Traffic is then matched against additional rules, if present, to determine
whether to trust, block, or decrypt it. The first non-Monitor rule matched determines traffic flow and any further inspection. If
there are no additional matching rules, the system uses the default action.
Identity Policy

Identity policies contain identity rules. Identity rules associate sets of traffic with a realm and an authentication
method: passive authentication, active authentication, or no authentication.
 DNS

DNS-based Security Intelligence allows you to whitelist or blacklist traffic based on the domain name requested by a
client. Cisco provides domain name intelligence you can use to filter your traffic; you can also configure custom lists
and feeds of domain names tailored to your deployment.

DNS policy can be configured with reference to “Source Zones”, “Networks”, “VLAN Tags”, and “DNS”

DNS policy action can be set to “Whitelist”, “Monitor”, “Domain Not Found”, “Drop”, “Sinkhole”
Whitelist: allows matching traffic to pass. When you whitelist traffic, it is subject to further inspection
either by a matching access control rule, or the access control policy's default action.

Monitor: designed to force connection logging; matching traffic is neither immediately whitelisted nor blacklisted.
Rather, traffic is matched against additional rules to determine whether to permit or deny it.
Domain Not Found: action returns a non-existent internet domain response to the DNS query, which prevents the client
from resolving the DNS request.

Drop: drops the traffic

Sinkhole: action returns a sinkhole object's IPv4 or IPv6 address in response to the DNS query.
 Malware & File

Advanced Malware Protection (AMP) for Firepower can detect, capture, track, analyze, log, and optionally block the
transmission of malware in network traffic.

File Rule Actions

Detect Files rules allow you to log the detection of specific file types to the database, while still allowing their transmission.

Block Files rules allow you to block specific file types. You can configure options to reset the connection when a file transfer is
blocked, and store captured files to the managed device.

Malware Cloud Lookup rules allow you to obtain and log the disposition of files traversing your network, while still allowing their
transmission.

Block Malware rules allow you to calculate the SHA-256 hash value of specific file types, query the AMP cloud to determine if files
traversing your network contain malware, then block files that represent threats.
 Intrusion Policy
An intrusion policy uses intrusion and preprocessor rules (sometimes referred to collectively as intrusion rules) to
examine the decoded packets for attacks based on patterns. Intrusion policies are paired with variable sets, which
allow you to use named values to accurately reflect your network environment.

Network analysis policies govern these traffic-handling tasks:

after traffic is filtered by Security Intelligence
after encrypted traffic is decrypted by an optional SSL policy
before traffic can be inspected by file or intrusion policies
A network analysis policy governs packet processing in phases. First the system decodes packets through the first three
TCP/IP layers, then continues with normalizing, preprocessing, and detecting protocol anomalies:
The packet decoder converts packet headers and payloads into a format that can be easily used by the preprocessors and
later, intrusion rules. Each layer of the TCP/IP stack is decoded in turn, beginning with the data link layer and continuing
through the network and transport layers. The packet decoder also detects various anomalous behaviors in packet headers.
In inline deployments, the inline normalization preprocessor reformats (normalizes) traffic to minimize the chances of
attackers evading detection. It prepares packets for examination by other preprocessors and intrusion rules, and helps
ensure that the packets the system processes are the same as the packets received by the hosts on your network.
NAP governs mostly preprocessing options, whereas the intrusion policy governs mostly intrusion rules.
https://popravak.wordpress.com/2018/08/30/a-little-bit-about-firepower-network-analysis-policy-nap/
Access Control Policy (ACP)
Access control is a hierarchical policy-based feature that allows you to specify, inspect, and log (non-fast-pathed)
network traffic.

Access control policy contains access rules which provides granular method of
handling network traffic based on matched rule action i.e. monitor, trust, block
or allow.
Access rule can be created with reference to zone, network, VLAN Tags, Users,
Applications, Ports, URLs, SGT/ISE attributes. You can also decide to inspect the
traffic and log depending on requirements.
Security Intelligence
As an early line of defense against malicious internet content, Security Intelligence uses reputation intelligence to
quickly block connections to or from IP addresses, URLs, and domain names. This is called Security Intelligence
blacklisting.
Security Intelligence is an early phase of access control, before the system performs more resource-intensive
evaluation. Blacklisting improves performance by quickly excluding traffic that does not require inspection.

Although you can configure custom blacklists, Cisco provides access to regularly updated intelligence feeds. Sites
representing security threats such as malware, spam, botnets, and phishing appear and disappear faster than you
can update and deploy custom configurations.
FIREPOWER TRAFFIC FLOW

Prefilter - comes before any other inspection. if traffic is fastpathed it bypasses further evaluation i.e. Security Intelligence,
SSL Policy, Identity Policy, IPS, Malware/File, and URL Policy. If analyzed, it proceeds for further advance inspection. If blocked,
traffic will be discarded.

Traffic are evaluated against Security Intelligence, SSL Decryption, Identity Policy, and Network Analysis Policy before access
rules (L7 ACL, App, URL, IPS, File/Malware policy)
Therefore, setting access rule to “Trust” only allow the traffic to bypass IPS and Malware/File inspection.
Setting access rule to allow gives you the privilege of further evaluating the traffic with IPS and Malware/File inspection.
Setting access rule to block discards the traffic
NAT

NAT Rule can be implemented in two ways:

• Manual NAT Rule
• Auto NAT Rule
It is recommended to use auto NAT unless you need the extra features that manual NAT provides.
NAT

NAT Rule can be implemented in two ways:

• Manual NAT Rule
• Auto NAT Rule
It is recommended to use auto NAT unless you need the extra features that manual NAT provides.