How to modify default ASA inspection policy on FTD image

p-natarajan · ‎09-28-2016

Hello,

I am migrating ASA5512 from ASA image to FTD 6.0.1 image. Only Access control policy (no inspection policies in Firepower Management center)

using the diagnostic cli, notice inspection of h323 and sip which is default in ASA (see output below). Looking for a way to disable the inspections for h323 and sip in the global_policy. any one know how to do it, since our applications require h323 and sip inspections to be disabled

> system support diagnostic-cli

Attaching to ASA console ... Press 'Ctrl+a then d' to detach.

Type help or '?' for a list of available commands.

firepower> en

Password:

firepower# sh run

: Saved

: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)

:

NGFW Version 6.0.1

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

inspect icmp

inspect icmp error

inspect dcerpc

!

service-policy global_policy global

Oliver Kaiser · ‎10-09-2016

Unfortunately this is not possible with FTD at the moment. I already opened a Case and talked with a TAC engineer about this. An enhancement bug has been opened. In my opinion this should be fixed asap.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz83802

Marvin Rhoads · ‎03-06-2017

To add insult to injury, they broke it further in 6.1, 6.2 and 6.2.1:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb40875