topic Re: Packet is blocked as requested by snort with Prefilter anyany fast in Network Security

topic Re: Packet is blocked as requested by snort with Prefilter anyany fast in Network Security https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954241#M1105604 <P>It is like <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> noted.</P> <P>A properly formed and applied prefilter policy with "clear conn" having been done afterwards will take Snort out of the path altogether.</P> Mon, 06 Nov 2023 13:54:37 GMT Marvin Rhoads 2023-11-06T13:54:37Z Packet is blocked as requested by snort with Prefilter anyany fastpath https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4953566#M1105573 <P>Is there any way that Snort can still block or drop a packet/traffic even if i already added a prefilter policy that sets as any any network and with fastpath? Also i have disabled all my access control policy except for default ACP that is set to "Trust All Traffic"</P><P>These are the diagnostic data gathered below, random users experienced dropped traffic specifically accesses to cloud servers.</P><P><BR />326: 12:06:43.000030 192.168.7.122.54741 > 20.189.173.14.443: P 1630889135:1630889364(229) ack 3677944706 win 1024 <SPAN>Drop-reason: (snort-block) Packet is blocked as requested by snort, Drop-location: frame 0x000055e9e3316112 flow (NA)/NA</SPAN></P><P>327: 12:06:43.257463 192.168.5.100.56591 > 142.251.221.3.443: P 91537800:91538757(957) ack 1105471243 win 512 <SPAN>Drop-reason: (snort-block) Packet is blocked as requested by snort, Drop-location: frame 0x000055e9e3316112 flow (NA)/NA</SPAN></P><P>328: 12:06:43.305953 192.168.9.102.55730 > 13.107.136.10.443: P 1070331683:1070331874(191) ack 3766062448 win 1024 Drop-reason: (snort-block) Packet is blocked as requested by snort, Drop-location: frame 0x000055e9e3316112 flow (NA)/NA</P><P>ASP Drop data below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image001.png" style="width: 967px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201618i32E13E9DC855F71F/image-size/medium?v=v2&px=400" role="button" title="image001.png" alt="image001.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image002.png" style="width: 970px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201619i5334CBE14D7C13CA/image-size/medium?v=v2&px=400" role="button" title="image002.png" alt="image002.png" /></span></P><P>Are these drop counts normal or expected even after creating a fastpath inf pre filter policy and disabled all ACP rules and just retained the default action which is "TRUST ALL TRAFFIC" </P><P> </P><P>We are using FTD7.0.6 and FMC7.3.1</P><P> </P> Sat, 04 Nov 2023 13:11:28 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4953566#M1105573 Tritontek 2023-11-04T13:11:28Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954033#M1105598 <P>the fastpath prefilter must allow all traffic pass without inspect via Snort. </P> <P>do you clear conn after add prefilter ?<BR /><BR />Thanks A Lot <BR />MHM</P> Mon, 06 Nov 2023 06:25:55 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954033#M1105598 MHM Cisco World 2023-11-06T06:25:55Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954241#M1105604 <P>It is like <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> noted.</P> <P>A properly formed and applied prefilter policy with "clear conn" having been done afterwards will take Snort out of the path altogether.</P> Mon, 06 Nov 2023 13:54:37 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954241#M1105604 Marvin Rhoads 2023-11-06T13:54:37Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954559#M1105620 <P>The counters have never been cleared, clear the counters and then review the output again to get an accurate picture of what is being dropped.</P> Mon, 06 Nov 2023 22:11:13 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954559#M1105620 Marius Gunnerud 2023-11-06T22:11:13Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954766#M1105623 <P>Hi Sir,</P><P>i have cleared the counters now and ran some packet capture and from the results i just gather all the data with DROP action. Here are the few of them below:</P><P>NOTE: These are the results when i added the pre-filter policy and used the ACP rule with allow all any any. I can see a lot of Phase 5, Access-List and Snort being dropped. Where can i check on these below more further?</P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />18: 07:37:37.427407 94.102.57.152.49370 > 61.245.4.9.443: S 2333418438:2333418438(0) win 29200 <mss 1460,sackOK,timestamp 1622119284 0,nop,wscale 7></P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />19: 07:37:37.463385 94.102.57.152.49416 > 61.245.4.9.443: S 386166707:386166707(0) win 29200 <mss 1460,sackOK,timestamp 1622119320 0,nop,wscale 7></P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />20: 07:37:37.567567 94.102.57.152.49562 > 61.245.4.9.443: S 1952941204:1952941204(0) win 29200 <mss 1460,sackOK,timestamp 1622119424 0,nop,wscale 7></P><P><BR />Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />21: 07:37:38.064526 61.245.4.9.63298 > 188.172.208.139.5938: P 3659605041:3659605097(56) ack 419956790 win 1019<BR />22: 07:37:38.138603 188.172.208.139.5938 > 61.245.4.9.63298: P 419956790:419956846(56) ack 3659605097 win 10310</P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />171: 07:37:41.378734 54.192.150.44.443 > 61.245.4.9.64536: S 1880898966:1880898966(0) ack 379764042 win 65535 <mss 1440,nop,nop,sackOK,nop,wscale 9></P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />178: 07:37:41.464773 54.192.150.44.443 > 61.245.4.9.12066: . ack 1165596856 win 65535</P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />188: 07:37:41.482991 20.107.224.24.443 > 61.245.4.9.61721: . ack 2573826798 win 16387</P><P> </P><P>Phase: 5<BR />Type: ACCESS-LIST<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Implicit Rule<BR />Additional Information:</P><P>Result:<BR />input-interface: OUTSIDE1_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x00005623b4b75ccf flow (NA)/NA</P><P><BR />204: 07:37:41.581360 61.245.4.9.64536 > 54.192.150.44.443: P 379764042:379764359(317) ack 1880898967 win 128<BR />205: 07:37:41.581512 52.27.216.242.443 > 61.245.4.9.64534: . ack 3247401357 win 110</P><P> </P><P>Here is the ASP DROP result: No more Snort drop but there are a lot of other drops.</P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_1-1699345865960.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201827iFC00344F9CB13609/image-size/medium?v=v2&px=400" role="button" title="Tritontek_1-1699345865960.png" alt="Tritontek_1-1699345865960.png" /></span></P><P> </P><P> </P> Tue, 07 Nov 2023 08:31:05 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954766#M1105623 Tritontek 2023-11-07T08:31:05Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954786#M1105626 <P>can you share the packet tracer (after add detail keyword in end) with it result <BR /><BR />Thanks A Lot <BR />MHM</P> Tue, 07 Nov 2023 08:48:08 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954786#M1105626 MHM Cisco World 2023-11-07T08:48:08Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954898#M1105632 <P>You may find it useful to use the command "system support firewall-engine-debug" to troubleshoot a specific source or destination address.</P> <P>This article explains its use in detail:</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html</A></P> Tue, 07 Nov 2023 12:54:46 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4954898#M1105632 Marvin Rhoads 2023-11-07T12:54:46Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955136#M1105651 <P>Here are some counters a ran using Packet Tracer detailed and Packet Capture in FMC GUI. I have noticed that if i run some captures in FMC GUI snort drops some packets to an IP but when i run packet tracer detailed in CLI it gives me a pass or allow results which is so confusing and most of these IP adresses are from amazon, cloudfront and i am not sure if these are safe or not.</P><P><STRONG>Here are 2 of the few results below:</STRONG></P><P> </P><P><STRONG>nslookup 52.222.174.37 - server-52-222-174-37.cdg50.r.cloudfront.net</STRONG></P><P><STRONG>FROM FMC GUI PACKCAPTURE: 52.222.174.37</STRONG></P><P>CAPTURE:<BR />Phase: 5<BR />Type: SNORT<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Additional Information:<BR />Snort Trace:<BR />50:9A:4C:50:3B:89 -> CC:7F:76:49:EE:66 0800<BR />172.21.1.10:50538 -> 52.222.174.37:443 proto 6 AS=0 ID=2 GR=1-1<BR />Packet 1096542: TCP ***AP***, 11/07-18:26:15.709954, seq 1604190099, ack 3647251291, dsize 723<BR />AppID: service: HTTPS(1122), client: SSL client(1296), payload: Cisco(2655), misc: (0)<BR />Firewall: allow rule, 'INSIDE-TO-OUTSIDE_RULE' , allow<BR />Policies: Network 0, Inspection 0, Detection 0<BR />Verdict: pass<BR />Snort Verdict: (block-packet) drop this packet</P><P>Result:<BR />input-interface: INSIDE_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (none) Not a blocking packet, Drop-location: frame 0x00005623b5a38112 flow (NA)/NA</P><P><BR />108: 18:26:15.712426 52.222.174.37.443 > 172.21.1.10.50538: . ack 1604190822 win 64<BR />109: 18:26:15.905913 52.222.174.37.443 > 172.21.1.10.50538: P 3647251291:3647251525(234) ack 1604190822 win 131<BR />110: 18:26:15.906676 172.21.1.10.50538 > 52.222.174.37.443: P 1604190822:1604190886(64) ack 3647251525 win 1023</P><P><STRONG>FROM FTD CLI PACKET TRACE: 52.222.174.37</STRONG></P><P>> packet-tracer input INSIDE_INT tcp 172.21.1.10 443 52.222.174.37 443 detailed</P><P>Phase: 12<BR />Type: EXTERNAL-INSPECT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Application: 'SNORT Inspect'</P><P>Phase: 13<BR />Type: SNORT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Snort Trace:<BR />00:00:00:00:00:00 -> CC:7F:76:49:EE:66 0800<BR />172.21.1.10:443 -> 52.222.174.37:443 proto 6 AS=0 ID=0 GR=1-1<BR />Packet 518990: TCP ******S*, 11/07-18:27:48.479970, seq 1617196482, dsize 0<BR />Session: new snort session<BR />AppID: service: (0), client: (0), payload: (0), misc: (0)<BR />Firewall: allow rule, id 268453889, allow<BR />Policies: Network 0, Inspection 0, Detection 0<BR />Verdict: pass<BR />Snort Verdict: (pass-packet) allow this packet</P><P> </P><P><STRONG>nslookup 44.225.146.46 - ec2-44-225-146-46.us-west-2.compute.amazonaws.com</STRONG></P><P><STRONG>FROM FMC GUI PACKCAPTURE: 44.225.146.46 </STRONG></P><P>Phase: 4<BR />Type: EXTERNAL-INSPECT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Application: 'SNORT Inspect'</P><P>Phase: 5<BR />Type: SNORT<BR />Subtype:<BR />Result: DROP<BR />Config:<BR />Additional Information:<BR />Snort Trace:<BR />50:9A:4C:50:3B:89 -> CC:7F:76:49:EE:66 0800<BR />172.21.1.10:50540 -> 44.225.146.46:443 proto 6 AS=0 ID=2 GR=1-1<BR />Packet 1096558: TCP ***AP***, 11/07-18:26:21.619963, seq 3630937333, ack 3142007512, dsize 616<BR />AppID: service: HTTPS(1122), client: SSL client(1296), payload: AppDynamics(7166), misc: (0)<BR />Firewall: allow rule, 'INSIDE-TO-OUTSIDE_RULE' , allow<BR />Policies: Network 0, Inspection 0, Detection 0<BR />Verdict: pass<BR />Snort Verdict: (block-packet) drop this packet</P><P>Result:<BR />input-interface: INSIDE_INT(vrfid:0)<BR />input-status: up<BR />input-line-status: up<BR />Action: drop<BR />Drop-reason: (none) Not a blocking packet, Drop-location: frame 0x00005623b5a38112 flow (NA)/NA</P><P><BR />150: 18:26:21.630399 44.225.146.46.443 > 172.21.1.10.50540: . ack 3630937949 win 128<BR />151: 18:26:21.834002 44.225.146.46.443 > 172.21.1.10.50540: . 3142007512:3142008892(1380) ack 3630937949 win 110<BR />152: 18:26:21.834032 44.225.146.46.443 > 172.21.1.10.50540: . 3142008892:3142010272(1380) ack 3630937949 win 110<BR />153: 18:26:21.834490 172.21.1.10.50540 > 44.225.146.46.443: . ack 3142010272 win 1024</P><P> </P><P><STRONG>FROM FTD CLI PACKET TRACE: 44.225.146.46</STRONG></P><P>Phase: 12<BR />Type: EXTERNAL-INSPECT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Application: 'SNORT Inspect'</P><P>Phase: 13<BR />Type: SNORT<BR />Subtype:<BR />Result: ALLOW<BR />Config:<BR />Additional Information:<BR />Snort Trace:<BR />00:00:00:00:00:00 -> CC:7F:76:49:EE:66 0800<BR />172.21.1.10:443 -> 44.225.146.46:443 proto 6 AS=0 ID=1 GR=1-1<BR />Packet 850434: TCP ******S*, 11/07-18:29:30.859940, seq 1410578557, dsize 0<BR />Session: new snort session<BR />AppID: service: (0), client: (0), payload: (0), misc: (0)<BR />Firewall: allow rule, id 268453889, allow<BR />Policies: Network 0, Inspection 0, Detection 0<BR />Verdict: pass<BR />Snort Verdict: (pass-packet) allow this packet</P><P> </P><P> </P><P>this is so confusing, everytime i run trace or capture there will be a new IP that will be blocked or dropped by snort and mostly are from amazon AWS. I dont know where and why snort is blocking this since this is a legit and known IP with proper DNS record.</P> Tue, 07 Nov 2023 18:55:23 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955136#M1105651 Tritontek 2023-11-07T18:55:23Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955174#M1105655 <P>do you deploy the ACP after add it?<BR /><BR /></P> <P>Thanks A Lot <BR />MHM</P> Tue, 07 Nov 2023 20:31:09 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955174#M1105655 MHM Cisco World 2023-11-07T20:31:09Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955239#M1105657 <P>Yes sir! Definitely! Every changes we make we always deploy it to the device and we only have 1 device.</P><P>i am confused already, right now our FTD is connected to an isolated network and am not confident of this is ready for redeployment to the production network. Is this some kind of a bug?</P> Wed, 08 Nov 2023 02:00:44 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955239#M1105657 Tritontek 2023-11-08T02:00:44Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955378#M1105662 <P>Hi Sir,</P><P>may i ask what is the best way to bypass all inspection and just have a straight forward packet in and packet out. i think that is the best way for me to determine where the problem is. i want to disable all inspections first then enable them 1 by 1 to know which one is blocking and which one is not.</P> Wed, 08 Nov 2023 06:10:44 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955378#M1105662 Tritontek 2023-11-08T06:10:44Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955545#M1105664 <P>You have not yet shared any screen shot of your prefilter policy or Access Control Policy. Either of those could be affecting your trace results. Otherwise, the title of this thread would generally work and have no issues.</P> <P>You also did not try the "system support firewall-engine-debug" and share the output that I suggested earlier.</P> Wed, 08 Nov 2023 07:27:00 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955545#M1105664 Marvin Rhoads 2023-11-08T07:27:00Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955610#M1105671 <P>Hi Sir,</P><P>Apologies, i forgot to attach the files. Here are the details below sir. I have also attached the debug txt file in this reply.</P><P>Here is my Pre-Filter Policy.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_0-1699432264476.png" style="width: 713px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201899iE4DBAF460B592D2F/image-dimensions/713x82?v=v2" width="713" height="82" role="button" title="Tritontek_0-1699432264476.png" alt="Tritontek_0-1699432264476.png" /></span></P><P>Here is my ACP, all the blocking rules are currently disabled.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_1-1699432326830.png" style="width: 706px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201900i34050BF5ACBD55FD/image-dimensions/706x270?v=v2" width="706" height="270" role="button" title="Tritontek_1-1699432326830.png" alt="Tritontek_1-1699432326830.png" /></span></P><P>and the ACP advanced settings i made</P><P> </P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_2-1699432421970.png" style="width: 753px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201901i7322E6B199A59157/image-dimensions/753x547?v=v2" width="753" height="547" role="button" title="Tritontek_2-1699432421970.png" alt="Tritontek_2-1699432421970.png" /></span></P><P> </P><P>The problem right now is that our FTD is now running in an isolated network where 1 PC is connected with necessary production apps and websites being used and accessed and whenever we re-integrate the FTD back to the production network that is the time the problem is rampant. </P><P>Here are some errors we had before we isolated the FTD.</P><P> </P><P>Here is Tekla Trimble Model Sharing queuing to cloud servers:</P><DIV class=""> </DIV><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_5-1699432943675.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201902i644A616496A7F6BE/image-size/medium?v=v2&px=400" role="button" title="Tritontek_5-1699432943675.png" alt="Tritontek_5-1699432943675.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_6-1699432977114.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201903iF0E42F7C4934FD92/image-size/medium?v=v2&px=400" role="button" title="Tritontek_6-1699432977114.png" alt="Tritontek_6-1699432977114.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_8-1699433005207.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201904i06BF242FD6F99E1E/image-size/medium?v=v2&px=400" role="button" title="Tritontek_8-1699433005207.png" alt="Tritontek_8-1699433005207.png" /></span></P><P>This one is for VMWare Horizon connection to cloud servers:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_9-1699433052659.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201905i003A593BD91DF556/image-size/medium?v=v2&px=400" role="button" title="Tritontek_9-1699433052659.png" alt="Tritontek_9-1699433052659.png" /></span></P><P> </P><P>right now production network without the FTD is running smoothly but everytime we join the FTD back to the network everyone gets crazy with this cloud server connections being dropped/blocked. This problem has been running for months on/off and randomly.</P><DIV class=""> </DIV><P> </P><P> </P><P> </P><P> </P><DIV class=""> </DIV><P> </P><P> </P><P> </P> Wed, 08 Nov 2023 08:51:34 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955610#M1105671 Tritontek 2023-11-08T08:51:34Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955956#M1105675 <P>The debug.txt doesn't show any drops or blocks so that is inconclusive.</P> <P>I notice in your ACP that you appear to have multiple outside interfaces. Are both active and, if so, how do you handle routing to ensure that nothing is ever asymmetric (i.e. outbound traffic goes out one interface while return traffic arrives on a different one)?</P> Wed, 08 Nov 2023 19:06:12 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955956#M1105675 Marvin Rhoads 2023-11-08T19:06:12Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955989#M1105679 <P>Hi Sir, i have ran a new packet trace without pre-filter policy and i can see a lot of Snort drop and acl-drop including our Amazon and Azure cloud servers. that is the main concern we are facing that Snort is blocking our production servers from the cloud. i have attached the CLI log file and packet capture.</P><P>Regarding the 2 outside interface, as of now only 1 is active since it is in isolated network but when we integrate the FTD to the production 2 Outside interfaces will be utilized, I use metric 1 for my outside 1 and metric 2 for my outside2 and they are assigned into 2 different zones and i also have a PBR flexconfig so that i can distribute the internet usage into 2 depending on what vlans the users belong. see images below.</P><P>Hi Sir <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/319690">@Marius Gunnerud</a> i have posted it here everything including the system support logs</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_0-1699471852581.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201937i0C82FC4F831DD5E8/image-size/large?v=v2&px=999" role="button" title="Tritontek_0-1699471852581.png" alt="Tritontek_0-1699471852581.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_1-1699471873210.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201938i529DF9ABA8B98EC9/image-size/large?v=v2&px=999" role="button" title="Tritontek_1-1699471873210.png" alt="Tritontek_1-1699471873210.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_2-1699471901039.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201939i8EBA4FD3FB5DCB57/image-size/large?v=v2&px=999" role="button" title="Tritontek_2-1699471901039.png" alt="Tritontek_2-1699471901039.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_3-1699471927446.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201940i17BD74FBE0168502/image-size/large?v=v2&px=999" role="button" title="Tritontek_3-1699471927446.png" alt="Tritontek_3-1699471927446.png" /></span></P><P> </P><P>see log files attached. this log files were captured while pre-filter policy, service policy was removed, ACP allow rule is active and ACP default action was set to Balanced Connectivity and Security. I am confused on how to deal with this one because i cannot afford to run a network with Pre-filter any any and fastpath since it is very vurnerable and it is also hard to add all our amazon cloud server IPs because some of our client's cloud server IP are in multi region and it changes from time to time. i dont know what really happend to this FTD but the issue just suddenly came out without doing anything. Maybe this is a bug? snort should only block/drop unregistered/broken/malicious packets but why block/drop amazon/azure IP packets?</P> Thu, 09 Nov 2023 04:37:23 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4955989#M1105679 Tritontek 2023-11-09T04:37:23Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956036#M1105681 <P>I suppose you have the relevant NAT rules configured for this traffic flow?</P> <P>Could you do a "system support trace" from the  > prompt and then send some test traffic that is being dropped and post complete output here.</P> <P>When entering the values for the trace only enter the client and server IPs, leave everything else blank.</P> Wed, 08 Nov 2023 21:13:25 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956036#M1105681 Marius Gunnerud 2023-11-08T21:13:25Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956082#M1105690 <P>Hi, <BR />I make deep dive check all info you provide<BR />rule 9 of ACP this in Lina permit any any but in Snort application opera VPN opera is Block.<BR />can you remove it and but in end of ACP.</P> <P>Thanks A Lot <BR />MHM</P> Wed, 08 Nov 2023 23:01:38 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956082#M1105690 MHM Cisco World 2023-11-08T23:01:38Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956259#M1105699 <P>Hi Sirs,</P><P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/326046">@Marvin Rhoads</a> <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/319690">@Marius Gunnerud</a> </P><DIV class="">Here are the latest logs and setting made below:</DIV><DIV class="">During the log capture these are the current settings on our FTD</DIV><DIV class="">1) i removed all unecessary ACP rule and left only 1 allow rule with in to out zone any any </DIV><DIV class=""><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_0-1699509781907.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201988i80587862B197562C/image-size/large?v=v2&px=999" role="button" title="Tritontek_0-1699509781907.png" alt="Tritontek_0-1699509781907.png" /></span><P> </P><P>2) in ACP advanced tab, i set TLS = enabled, Pre-Filter Polic = Default Pre-filter, Intrusion Policy& Network analysis = Balanced Security and Connectivity with default set, Removed FTD Service Policy = 0.</P><P> </P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_1-1699509832663.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201989iC4F7E830D1A4AE96/image-size/large?v=v2&px=999" role="button" title="Tritontek_1-1699509832663.png" alt="Tritontek_1-1699509832663.png" /></span><P>default pre-filter policy is empty.</P><P> </P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_2-1699509965347.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201990i62F8C3502AE8ADAF/image-size/large?v=v2&px=999" role="button" title="Tritontek_2-1699509965347.png" alt="Tritontek_2-1699509965347.png" /></span><P>3) removed the unused OUTSIDE2 interface, removed routing for OUTSIDE2, removed routing for OUTSIDE2, removed NAT for OUTSIDE2 and VPNs, since we are using OUTSIDE1 and INSIDE for now,</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_3-1699510041490.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201991i1FBA0055CE7F31C5/image-size/large?v=v2&px=999" role="button" title="Tritontek_3-1699510041490.png" alt="Tritontek_3-1699510041490.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_4-1699510094571.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201992i309958F39DD142A8/image-size/large?v=v2&px=999" role="button" title="Tritontek_4-1699510094571.png" alt="Tritontek_4-1699510094571.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_5-1699510136943.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201993iB843A0F61346C47A/image-size/large?v=v2&px=999" role="button" title="Tritontek_5-1699510136943.png" alt="Tritontek_5-1699510136943.png" /></span><P>and removed OUTSIDE2 in the platfrom settings DNS and ICMP.</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_6-1699510216321.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201994iF365E039F4CF483D/image-size/large?v=v2&px=999" role="button" title="Tritontek_6-1699510216321.png" alt="Tritontek_6-1699510216321.png" /></span><P> </P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tritontek_7-1699510247134.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/201995i4A2061FFEBCBA903/image-size/large?v=v2&px=999" role="button" title="Tritontek_7-1699510247134.png" alt="Tritontek_7-1699510247134.png" /></span><P>4) removed RAVPN and S2S VPN confiurations to completely isolate the issue</P><P>5) removed OUTSIDE2 Zone and SLA MOnitor  to completely isolate the issue</P><P>So overall the traffic will just pass between INSIDE - OUTSIDE1 for now to see more clear troubleshooting.</P><P>Here are the logs from the system support trace and debug attached. </P><P>NOTE: Prefilter policy, Service Policy removed, ACP rule allow all from in to out with default action balanced security and connectivity were set during the capture of these logs.</P><P>i have attached Packet Capture from FMC UI and Putty logs via FTD CLI. i have noticed a lot of snort drop and acl drop from these captures and i also noticed that it drops several amazon and azure ip addresses which is very odd.</P><P>Thank YOu So Much</P><P> </P></DIV> Thu, 09 Nov 2023 06:17:29 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956259#M1105699 Tritontek 2023-11-09T06:17:29Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956428#M1105703 <P>I suggest not remove ACP but remove application rule check connection <BR />then add it if the connection is success.<BR /><BR />Thanks A Lot <BR />MHM</P> Thu, 09 Nov 2023 13:58:28 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956428#M1105703 MHM Cisco World 2023-11-09T13:58:28Z Re: Packet is blocked as requested by snort with Prefilter anyany fast https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956431#M1105704 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1065752">@MHM Cisco World</a> If the poster is giving us the whole picture then there are no active rules with application defined.</P> Thu, 09 Nov 2023 14:04:09 GMT https://community.cisco.com/t5/network-security/packet-is-blocked-as-requested-by-snort-with-prefilter-anyany/m-p/4956431#M1105704 Marius Gunnerud 2023-11-09T14:04:09Z