NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou

1 © 2018 Cisco Systems, Inc. All rights reserved.

.......................................................................................................... 2

............................................................................................................... 2

............................................................. 2

.................................................................................................. 3

......................................................................................................... 3

....................................................................................... 4

................................................................. 6

................................................................................. 7

................................................................................................................ 7

........................................................................................................ 8

..................................................................................... 8

............................................................................................. 8

............................................................................................ 8

...................................................................................................... 9

........................................................................................... 9

...................................................................................................... 10

................................................................................................ 10

........................................................................... 11


................................................................... 12

................................................................................................ 13

.................................................................................................................. 13

................................................................................. 14

................................................................................. 14

............................................................................................................................. 15

................................................................................. 15

................................................................................. 15

..................................................................................................... 16

................................................................................. 16

................................................................................. 17

................................................................... 17

................................................................................................................... 17



Layer 2-4 Fast Path

IP Security Blocking

Layer 3 – 7,Security Group Tag,

and IdentityMatching

Threat InspectionAnd Blocking

LeafDomain

Final Action(Block, IPS, Network Discovery)

NGFW Policies: Efficiently Building Zero-Trust

• Like traditional firewall policies, rules run from top to bottom

• Some functions (fast path, IPSec, SSL, and traffic normalization) run before traffic is matched against an Access Control Rule

• Good to always be reducing the potential number of rules that any traffic pattern can hit.• Exp: SSH matches more than tcp/22• Caveat: matches without port info means

some packets will potentially pass until the app is detected.

• Each matched ACL has it’s own threat monitoring conditions (IPS, Malware, IPS Variables)

• The model can apply to policy “blocks” and/or leaf-domains.



9

Packets and Policies: Know What’s Happening Where

SI (IP)

File/AMP IPS

SSL

SI:

DNS

URL Pre-proc

NAP

IPSID

L7 ACLDiscovery

App

Pasv ID

Host

Prefilter

Policy

DAQ

RXIngres

InterfaceTX

Existing

Conn

Egress

InterfacePre-Filter

L3/L4

ACL

ALG

ChecksNAT

L3, L2

Hops

Y

VPN

Decrypt

N

QoS

VPN Encrypt

Fastpathed

VPN

Config

ASA/Lina

Firepower

Knowing your detection process impacts:

• How you analyze the data

• How you tune your security applianceElement Enabled in AC Policy

Access

Control

Policy

Intrusion

Policy

Network

Discovery

Policy

Intrusion

Policy

(NAP)

Network

Analysis

Policy

Malware

& File

Policy

Identity

Policy

DNS

Policy

SSL

Policy

$VAR

$VAR Objects

File/AMP IPSL7 ACL

ACP Rule Chain













http://www.cisco.com/go/offices

Documents

NGFW Policy Order Of Operations - Cisco€¦ · l 4 © 2018 Cisco Systems, Inc. All rights reserved. L a yer 2-4 F a st P a th IP Secu rity B lock ing L a yer 3 t 7, Secu rity G rou