topic Re: access rules firepower 1010 in Network Security

access rules firepower 1010

BornJames — Sun, 09 Jul 2023 01:01:45 GMT

Hi team,

have a question regarding access rules.

how come if any any eveyrhting works fine.

however when i want to allow lets say connect to facebook, and everything else disable

so i put source(inside) network(any-ipv4) ports(any) destination(outside_zone) network(FQDN facebook.com) ports (any)

so now I should have connection only to facebook, however no connection at all.

Re: access rules firepower 1010

Aref Alsouqi — Sun, 09 Jul 2023 22:55:20 GMT

How the internal endpoints resolve facebook.com? Is that via an internal DNS server or an external one? In case you are using internal DNS, is that internal DNS server able to resolve facebook.com? Also, is the firewall able to actually resolve that FQDN? and is the firewall and the endpoints are resolving to the same IP? If not the firewall might drop the traffic if the IP addresses don't match.

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 00:46:03 GMT

Hello Aref,

the DNS resolvers is the external ones.

when you say firewall able to resolve that FQDN do you mean when i do it via cli ?

becuase when i do it via CLI like this ping system facebook.com it doesnt work

Re: access rules firepower 1010

MHM Cisco World — Mon, 10 Jul 2023 08:03:54 GMT

so there is issue with DNS
first point to clear here is
DNS for data different than DNS for mgmt
you run FPR 1010 with ASA image or FTD image ?
FPR mgmt by FDM or FMC ?

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 09:19:49 GMT

Thank you for the reply.

I have got default DNS group which consists of 8.8.8.8 8.8.4.4 and is used for Vlan 1 and for management

but I also I have got this configured, so the PCs could get this DNS

are you saying that it is not how it is suppose to be ?

you run FPR 1010 with ASA image or FTD image ?
FPR mgmt by FDM or FMC ?

how would I check that ?

it is just out of box

thank you

Re: access rules firepower 1010

Aref Alsouqi — Mon, 10 Jul 2023 09:14:14 GMT

Yes, to verify the firewall resolution you can try with the command "sh dns" from LINA CLI, or you can use the command "sh access-list < the ACL name>" and look at the rule where you defined the FQDN. If you are running an FTD code then you can type the command "support system diagnostic-cli" from the CLISH mode (>) and then type "enable" and hit enter with no password, that will take you to LINA CLI which is basically the ASA CLI.

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 09:26:19 GMT

Hi Aref,

I dont have these commands "sh dns" "invalid command at ^ dns"

I did find an article on troubleshooting the DNS, but was surprised that I cannot run these commands

Re: access rules firepower 1010

Aref Alsouqi — Mon, 10 Jul 2023 09:59:39 GMT

Would you mind sending the screenshot from where you are trying to apply them?

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 10:04:27 GMT

i have tried through here

when running via the gui clie i get "this command is not supported"

as well as via putty

when via putty

testfirepower# sh dns

% Invalid Command at '^' marker

Re: access rules firepower 1010

Aref Alsouqi — Mon, 10 Jul 2023 10:31:02 GMT

the (>) is what so called CLISH mode, those commands can't be run from there, however, it should have worked via the SSH connection. Did you try to issue the other command "sh access-list < the ACL name>"?, also, if you run the command "sh run dns" do you see any configuration output?

Re: access rules firepower 1010

MHM Cisco World — Mon, 10 Jul 2023 10:39:52 GMT

Client -> FPR -> 8.8.8.8 this need ACL config in FPR allow INside subnet to ANY UDP port 53 and as normal you need NATing INside to OUTside public IP

FPR -> 8.8.8.8 this need change the source of DNS from mgmt to INside Or keep mgmt as source of DNS but NATing the mgmt interface to OUTside interface.

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 10:44:27 GMT

im not connected via ssh but console.

I am wondering could this be becuase the license is not enabled yet ?

we havent registered the device yet

Re: access rules firepower 1010

Aref Alsouqi — Mon, 10 Jul 2023 10:47:32 GMT

I don't believe applying the licenses would affect at least the DNS configuration. How did you get to this mode "testfirepower# " from the console? did you have to move from the CLISH mode (>) using the command "support system diagnostic-cli"? if not you might be on the FXOS line rather than LINA.

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 10:51:31 GMT

we just have a console cable connected to the firewall and when I use putty to connect to it, it asks crednetials and thats it im in testfirepower# " mode

didnt have to use anything

Re: access rules firepower 1010

BornJames — Mon, 10 Jul 2023 10:51:38 GMT

Yeh, I do have that rle allowing from inside to outside port 53 for tcp and udp, also NATing is in place as the everything is working fine when I have any to any rule configured.

dont understand the second part that I need to change for management...

Re: access rules firepower 1010

Aref Alsouqi — Mon, 10 Jul 2023 10:54:43 GMT

ok then I believe you are in FXOS mode. When you are on "testfirepower#" try please to type "connect ftd", and then "support system diagnostic-cli" and then "enable" and hit enter with no password and finally issue the above commands please.

Re: access rules firepower 1010

MHM Cisco World — Mon, 10 Jul 2023 10:58:25 GMT

OK, when you use FQDN in ACL instead of IP, here the FPR will resolve the FQDN into IP
so here the DNS is mgmt not data,
FPR will send DNS request using mgmt as source IP and 8.8.8.8 as destination BUT
are 8.8.8.8 know FPR mgmt private IP ? sure NO, so you need IP that can access internet and hence you can use data interface INside as source for DNS mgmt traffic.
hope this help you friend.
thanks
MHM

Re: access rules firepower 1010

BornJames — Tue, 11 Jul 2023 02:51:18 GMT

Hello Aref,

It did allow me to enter the connect ftd, i got to ">" mode but when trying to enter support system diagnostic-cli it doenst let me , cnanot push space between the words or even push enter when entering just support

Re: access rules firepower 1010

BornJames — Tue, 11 Jul 2023 03:02:13 GMT

Hello MHM,

I have access to the internet via Vlan 1 it is working, what would this rule look like ?

"so you need IP that can access internet and hence you can use data interface INside as source for DNS mgmt traffic. "

thank you for the help

Re: access rules firepower 1010

Aref Alsouqi — Tue, 11 Jul 2023 07:08:14 GMT

Apologies, that was my bad, I did invert the first two words. The command should be "system support diagnostic-cli".