https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009459#M1108620 <P>maybe this will be helpful. The CLI shows the following rules are being allowed. I don't have any rules like this configured in my fastpath and so they must be defaults. I've read a few other posts on this topic but don't believe I saw any definitive answers. I'm trying to determine if this type of traffic is actually getting through or if its only a few packets before the IPS blocks it. Either way how can I determine this?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dcanady55_0-1706650669387.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/209230i02E9642408AEA5BE/image-size/medium?v=v2&amp;px=400" role="button" title="dcanady55_0-1706650669387.png" alt="dcanady55_0-1706650669387.png" /></span></P><P>&nbsp;</P> Tue, 30 Jan 2024 21:40:22 GMT dcanady55 2024-01-30T21:40:22Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009151#M1108599 <P>FTD &amp; FMC 7.3</P><P>Inside my prefilter policy, I have a few prefilter rules and no tunnel rules, but my default action under tunnel traffic is to analyze all tunnel traffic. The CLI shows there are hits for this traffic, but I'm assuming if there are no rules in my ACP, this traffic would be dropped. How can I prove that's the case? The logging icon next to the default action is grayed out and won't let me log anything, which makes me think you cannot log anything unless you have a tunnel rule. If I grab the rule ID off the CLI and filter for this under unified events, nothing gets returned.</P><P>Thanks</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 30 Jan 2024 15:28:41 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009151#M1108599 dcanady55 2024-01-30T15:28:41Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009236#M1108604 <P>FTD&nbsp;</P> <P>Outer header check by prefilter (you can fastpath it)</P> <P>Inner header check by ACP&nbsp;</P> <P>Inner header check by Snort&nbsp;</P> <P>It seem to me that inner header is allow by ACP.</P> <P>MHM</P> Tue, 30 Jan 2024 16:58:43 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009236#M1108604 MHM Cisco World 2024-01-30T16:58:43Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009379#M1108611 <P>Is there away to verify the packets are being dropped?</P> Tue, 30 Jan 2024 20:20:41 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009379#M1108611 dcanady55 2024-01-30T20:20:41Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009436#M1108617 <P>sorry I dont get last reply,&nbsp;<BR />we talking about tunnel traffic, which tunnel we talk about GRE or other tunnel ?<BR />thanks&nbsp;<BR />MHM</P> Tue, 30 Jan 2024 21:05:54 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009436#M1108617 MHM Cisco World 2024-01-30T21:05:54Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009459#M1108620 <P>maybe this will be helpful. The CLI shows the following rules are being allowed. I don't have any rules like this configured in my fastpath and so they must be defaults. I've read a few other posts on this topic but don't believe I saw any definitive answers. I'm trying to determine if this type of traffic is actually getting through or if its only a few packets before the IPS blocks it. Either way how can I determine this?&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dcanady55_0-1706650669387.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/209230i02E9642408AEA5BE/image-size/medium?v=v2&amp;px=400" role="button" title="dcanady55_0-1706650669387.png" alt="dcanady55_0-1706650669387.png" /></span></P><P>&nbsp;</P> Tue, 30 Jan 2024 21:40:22 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009459#M1108620 dcanady55 2024-01-30T21:40:22Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009472#M1108621 <P>Prefilter tunnel allow traffic and as I mention the outer IP header is allow by prefilter.</P> <P>I See GRE so it not encrypt can you check the inner IP header&nbsp; if you can add ACP rule drop inner ip head (drop with log) and you will see how ACP filter tunnel traffic.</P> <P>Note:- Ypu can use capture to see inner ip header&nbsp;</P> <P>MHM</P> Tue, 30 Jan 2024 22:02:54 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009472#M1108621 MHM Cisco World 2024-01-30T22:02:54Z https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009500#M1108624 <P>You could run&nbsp; <STRONG>system support trace</STRONG> and enable firewall-engine-debug in the CLI.&nbsp; This should show all actions taken by both LINA and SNORT.</P> Tue, 30 Jan 2024 23:03:41 GMT https://community.cisco.com/t5/network-security/ftd-prefilter-question/m-p/5009500#M1108624 Marius Gunnerud 2024-01-30T23:03:41Z