topic Re: Firepower ACP Oddness in Network Security

Firepower ACP Oddness

dm2020 — Tue, 12 Mar 2019 14:09:55 GMT

Hi All,

I have an issue with a small Firepower deployment. I have a single FTD 2210 appliance that has a simple ACP applied that permits outbound ICMP, DNS and HTTPs traffic using application rules. See attached screenshot.

This works ok, however, if I attempt to telnet test to an external IP address on port 3001, which is not permitted by any rules, the firewall-engine-debug appears to match against the 'Permit ICMP' rule with a verdict of pass. I was hoping to see this as a deny so its clear that its being denied by the firewall. Is this a known issue?

10.1.11.13-62684 - 6.6.6.6-3001 6 Packet: TCP, SYN, seq 3358167107
10.1.11.13-62684 - 6.6.6.6-3001 6 AppID: service unknown (0), application unknown (0)
10.1.11.13-62684 > 6.6.6.6-3001 6 AS 1 I 1 Starting with minimum 2, 'Permit ICMP', and SrcZone first with zones 2 -> 1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.1.11.13-62684 > 6.6.6.6-3001 6 AS 1 I 1 pending rule order 2, 'Permit ICMP', AppID
10.1.11.13-62684 > 6.6.6.6-3001 6 Firewall: pending rule-matching, 'Permit ICMP', pending AppID
10.1.11.13-62684 > 6.6.6.6-3001 6 Snort id 1, NAP id 1, IPS id 0, Verdict PASS

Thanks

Re: Firepower ACP Oddness

Abheesh Kumar — Tue, 11 Dec 2018 18:07:31 GMT

Hi,
Do a packet tracer from FTD and see if that is allowing or not. As per your acp rules ICMP,HTTPS & DNS are only allowed.
One more suggestion instead of application enter the destination port and do a firewall engine debug, i think that will get block.

HTH
Abheesh

Re: Firepower ACP Oddness

dm2020 — Tue, 11 Dec 2018 20:22:36 GMT

Hi,

I've run a packet trace and it does show it as blocked - Drop-reason: (acl-drop) Flow is denied by configured rule

Also if I change the rules to use ports instead of application then the firewall engine debug does report the traffic as denied by firewall and not pass which is what I would expect. Is there any reason for the application inspection to behave like this? Should I be using ports instead of applications in my rules?

Thank you

Re: Firepower ACP Oddness

Abheesh Kumar — Tue, 11 Dec 2018 21:25:16 GMT

Hi,
We have similar kind of issue of TOR connection and opened a ticket with cisco. As per TAC, to identify applications FTD will allow few packets to pass through to look the application payload to detect the application. I think that's why in debug it shows allow. Better do create rule with ports that will be works perfect.

Hope This Helps

Abheesh

Re: Firepower ACP Oddness

dm2020 — Wed, 12 Dec 2018 09:04:18 GMT

Ok that makes sense. Thank you for the reply, very helpful