https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911605#M1103792 <P>I believe I have that already set up (I followed the documentation on how to set up a site-to-site VPN, and configuring an Access Control Policy that would allow VPN traffic was part of that). Specifically, under "...-Internet-Outside" the top rule is:</P><P>Name: Allow Site-to-Site VPN<BR />Source Zones: Any<BR />Dest Zones: Any<BR />Source Networks: group-inside-networks-vpn,&nbsp;group-[remote]-networks-vpn<BR />Dest Networks: group-inside-networks-vpn,&nbsp;group-[remote]-networks-vpn<BR />VLAN Tags: Any<BR />Users: Any<BR />Applications: Any<BR />Source Ports: Any<BR />Dest Ports: Any<BR />URLs: Any<BR />Source SGT: Any<BR />Dest SGT: Any<BR />Action: Allow</P><P>Since group-[remote]-networks-vpn contains the IP address ranges that are cover the traffic in that VPN tunnel, shouldn't this Access Control Policy be exempting that traffic?</P> Thu, 24 Aug 2023 19:58:44 GMT nnraymond 2023-08-24T19:58:44Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911586#M1103790 <P>I have our Firepower 4110 successfully connected via a site-to-site VPN to our Meraki MX95 appliance in another location, and things are mostly working however some of the SMB traffic is showing as action "Block", reason "File Block", ingress security zone "inside-internet", egress security zone "outside-internet". This is negatively impacting our ability to use PDQ Inventory and PDQ Deploy to manage our PC workstations across the VPN. Our VPN is running over an interface which is in the "outside-internet" group on the Firepower, but I obviously don't want the traffic inside that VPN connection to be scanned and blocked this way by the Firepower. What steps do I need to take to except that VPN traffic from inspection and blocking?</P> Thu, 24 Aug 2023 19:30:30 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911586#M1103790 nnraymond 2023-08-24T19:30:30Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911589#M1103791 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/517073">@nnraymond</a> modify your file policy to ensure traffic from your LAN networks to the remote VPN networks is not inspected. <A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html#id_104661" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html#id_104661</A></P> <P>&nbsp;</P> Thu, 24 Aug 2023 19:38:16 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911589#M1103791 Rob Ingram 2023-08-24T19:38:16Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911605#M1103792 <P>I believe I have that already set up (I followed the documentation on how to set up a site-to-site VPN, and configuring an Access Control Policy that would allow VPN traffic was part of that). Specifically, under "...-Internet-Outside" the top rule is:</P><P>Name: Allow Site-to-Site VPN<BR />Source Zones: Any<BR />Dest Zones: Any<BR />Source Networks: group-inside-networks-vpn,&nbsp;group-[remote]-networks-vpn<BR />Dest Networks: group-inside-networks-vpn,&nbsp;group-[remote]-networks-vpn<BR />VLAN Tags: Any<BR />Users: Any<BR />Applications: Any<BR />Source Ports: Any<BR />Dest Ports: Any<BR />URLs: Any<BR />Source SGT: Any<BR />Dest SGT: Any<BR />Action: Allow</P><P>Since group-[remote]-networks-vpn contains the IP address ranges that are cover the traffic in that VPN tunnel, shouldn't this Access Control Policy be exempting that traffic?</P> Thu, 24 Aug 2023 19:58:44 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911605#M1103792 nnraymond 2023-08-24T19:58:44Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911607#M1103793 <P>Hmm, I believe I chose "Allow" because that's what the guide said, but now that I think about it, should that instead be "Trust", since "Allow" will mean that intrusion protection and file policies will be applied, and that is likely what is causing the SMB traffic to be affected, correct? (And if so, what was the reasoning behind having it set to "Allow" instead of "Trust"?)</P> Thu, 24 Aug 2023 20:02:19 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911607#M1103793 nnraymond 2023-08-24T20:02:19Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911608#M1103794 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/517073">@nnraymond</a> I am referring to the File Policy not the Access Control policy. The File Policy is associated to the Access Control Policy.</P> Thu, 24 Aug 2023 20:04:08 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4911608#M1103794 Rob Ingram 2023-08-24T20:04:08Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4913250#M1103852 <P>FYI,&nbsp;changing "Allow" to "Trust" on the "<SPAN>Allow Site-to-Site VPN" rule made no difference on the blocks that the Firepower is doing to that traffic.</SPAN></P><P>We have one file policy, and is used by our 1 access control policy. I don't see any place in that file policy where I can create an exception for traffic over that site-to-site connection. There are two rules there:</P><P>Application Protocol: Any<BR />Direction of Transfer: Any<BR />Action: Block Malware<BR />Enabled: Spero Analysis for MSEXE, Local Malware Analysis, Reset Connection<BR />Store Files: Malware, Unknown<BR />Categories: Local Malware Analysis, System Files, Graphics, Encoded, PDF files, Executables, Multimedia, Archive, Office Documents</P><P>Application Protocol: Any<BR />Direction of Transfer: Any<BR />Action: Block Malware<BR />Enabled: Spero Analysis for MSEXE, Dynamic Analysis, Capacity Handling, Local Malware Analysis, Reset Connection<BR />Store Files: Malware, Unknown, Categories: Dynamic Analysis Capable</P><P>Why didn't my alteration of the security policy rule from allow to trust bypass these Malware &amp; File Policies? Is there something I'm supposed to do to the malware and file policies themselves to create an exception for the VPN, and if so, where? The page you linked me to doesn't seem to shed any light on that.</P> Mon, 28 Aug 2023 19:50:31 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4913250#M1103852 nnraymond 2023-08-28T19:50:31Z https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4913267#M1103854 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/517073">@nnraymond</a>&nbsp;thinking about it, create a new access control rule above the existing rule in the Access Control Policy, which permits the VPN traffic. Do NOT reference the file policy in this new rule, therefore VPN traffic will match the new rule without applying the file policy.</P> Mon, 28 Aug 2023 20:18:34 GMT https://community.cisco.com/t5/network-security/site-to-site-vpn-is-blocking-smb-traffic/m-p/4913267#M1103854 Rob Ingram 2023-08-28T20:18:34Z