09-28-2016 07:51 PM
Hello,
I am migrating ASA5512 from ASA image to FTD 6.0.1 image. Only Access control policy (no inspection policies in Firepower Management center)
using the diagnostic cli, notice inspection of h323 and sip which is default in ASA (see output below). Looking for a way to disable the inspections for h323 and sip in the global_policy. any one know how to do it, since our applications require h323 and sip inspections to be disabled
> system support diagnostic-cli
Attaching to ASA console ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.
firepower> en
Password:
firepower# sh run
: Saved
: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
NGFW Version 6.0.1
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect dcerpc
!
service-policy global_policy global
10-09-2016 02:00 PM
Unfortunately this is not possible with FTD at the moment. I already opened a Case and talked with a TAC engineer about this. An enhancement bug has been opened. In my opinion this should be fixed asap.
03-06-2017 04:32 AM
To add insult to injury, they broke it further in 6.1, 6.2 and 6.2.1:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide