https://community.cisco.com/t5/network-security/system-support-firewall-engine-debug-shows-rules-being-bypassed/m-p/4533381#M1086519 <P>Is there an interface associated with the outside_zone for that FTD?</P> <P>If there is, perhaps there is something in snort that is allowing the traffic,&nbsp; Have a look at <STRONG>system support trace</STRONG> in the CLI</P> Tue, 18 Jan 2022 15:31:59 GMT Marius Gunnerud 2022-01-18T15:31:59Z https://community.cisco.com/t5/network-security/system-support-firewall-engine-debug-shows-rules-being-bypassed/m-p/4532659#M1086492 <P class=""><SPAN class=""><SPAN>It appears this particular firewall is not acknowledging the last rule prior to default action. Its the only firewall in our fleet ignoring that rule. I test all other firewalls and confirmed they are matching. I made sure the zones are applied to interfaces. Not sure what i am missing. Running 7.0.1 version of FDM/FTD</SPAN></SPAN></P><P class="">&nbsp;</P><P class="">&nbsp;</P><P class=""><SPAN class=""><SPAN>192.168.4.55 53343 -&gt; 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and SrcZone first with zones -1 -&gt; -1, geo 0(xff 0) -&gt; 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 1122, payload 1423, client 1296, misc 0, user 9999997, url <A href="https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fself.events.data.microsoft.com%2F&amp;data=04%7C01%7Cbabiojd%40airproducts.com%7Cc8b3f9b4e4374168306a08d9d9c2a0d7%7C950af35660254fdb96a0a9be6b893fec%7C0%7C0%7C637780252504633496%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=aT3BR6Gij4aIrzP8LC2dtYsaHWtgomJe%2F3TzGWb%2F%2FxQ%3D&amp;reserved=0" target="_blank" rel="noopener">self.events.data.microsoft.com</A>, host <A href="https://nam10.safelinks.protection.outlook.com/?url=http%3A%2F%2Fself.events.data.microsoft.com%2F&amp;data=04%7C01%7Cbabiojd%40airproducts.com%7Cc8b3f9b4e4374168306a08d9d9c2a0d7%7C950af35660254fdb96a0a9be6b893fec%7C0%7C0%7C637780252504643491%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&amp;sdata=TVQNjKFNU6saaZjSlyjmFf%2F2aBC9Oq2VQfBwHBAOI50%3D&amp;reserved=0" target="_blank" rel="noopener">self.events.data.microsoft.com</A>, no xff</SPAN></SPAN></P><P class=""><SPAN><SPAN class=""><SPAN>192.168.4.55 53343 -&gt; 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'Permit VPN 1', dst network, GEO, FQDN</SPAN></SPAN></SPAN></P><P class=""><SPAN><SPAN class=""><SPAN>192.168.4.55 53343 -&gt; 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 2, 'Permit VPN 2', src network, GEO, FQDN</SPAN></SPAN></SPAN></P><P class=""><SPAN><SPAN class=""><SPAN>192.168.4.55 53343 -&gt; 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 match rule order 3, 'Default Action', action Allow</SPAN></SPAN></SPAN></P><P class=""><SPAN><SPAN class=""><SPAN>192.168.4.55 53343 -&gt; 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 allow action</SPAN></SPAN></SPAN></P><P class="">&nbsp;</P><P class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="acp.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/141408iDC332D48C3AF486F/image-size/large?v=v2&amp;px=999" role="button" title="acp.png" alt="acp.png" /></span></P> Mon, 17 Jan 2022 14:11:27 GMT https://community.cisco.com/t5/network-security/system-support-firewall-engine-debug-shows-rules-being-bypassed/m-p/4532659#M1086492 babiojd01 2022-01-17T14:11:27Z https://community.cisco.com/t5/network-security/system-support-firewall-engine-debug-shows-rules-being-bypassed/m-p/4533381#M1086519 <P>Is there an interface associated with the outside_zone for that FTD?</P> <P>If there is, perhaps there is something in snort that is allowing the traffic,&nbsp; Have a look at <STRONG>system support trace</STRONG> in the CLI</P> Tue, 18 Jan 2022 15:31:59 GMT https://community.cisco.com/t5/network-security/system-support-firewall-engine-debug-shows-rules-being-bypassed/m-p/4533381#M1086519 Marius Gunnerud 2022-01-18T15:31:59Z