FMC/FTD Inspection before identification

stamperbrian — Sun, 02 Jan 2022 14:57:44 GMT

Doing a bunch of testing with FMC/FTD and came across this article talking about inspection of packets that pass before traffic is identified. I'm testing this with ftp. My policy is very simple (picture attached). The traffic in question will hit the FTPBLOCK rule. I'm doing a simple FTP out to a public FTP server and in my case no matter what I do the initial connection is allowed. I enter username and pass and only then does the firewall deny the traffic. All I see in the log is the deny yet a packet capture and the output on the screen certainly shows this being allowed for that period of time.

The article states that adding the inspection Intrusion policy is how this is handled. I've tested with both Balanced Security and Connectivity and Security over connectivity adding it to the policy and the rule it would otherwise hit (Internet) as you can't add this to a block rule. I've tested with block, block with reset, etc. Currently the only way I've been able to make sure that initial traffic doesn't go out is to add a pre-filter rule to block it OR to disable the monitor rules I have at the top. In my case my block rule isn't even using application detection as I'm simply blocking tcp 20/21 all together. I then found this article that talks about monitor rules stating they would allow early packets if they contain layer 7 conditions. However, it goes on to say you can specify an intrusion policy and links to the other article.

My goal here is to make sure this traffic doesn't make it out at all from the get go. Just curious if anyone has any info on what I would need to do here to make that happen while still being able to keep the monitor rules in place?

topic FMC/FTD Inspection before identification in Network Security

FMC/FTD Inspection before identification