topic Re: Packet-Tracer Output (FTD 7.2.4) in Network Security

Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 19:33:03 GMT

Trying to use packet-tracer to determine the direct rule a packet is being allowed but the output only lists what appears to be a dynamic ACL created on the FTD. How can I get the exact rule that is allowing the traffic?

ex.

packet-tracer input outside tcp 10.1.1.1 5555 8.8.8.8 53 detailed

Re: Packet-Tracer Output (FTD 7.2.4)

MHM Cisco World — Thu, 16 May 2024 20:08:12 GMT

Share full packet tracer

MHM

Re: Packet-Tracer Output (FTD 7.2.4)

Rob Ingram — Thu, 16 May 2024 19:41:58 GMT

@Chuck Reimer you can use the command system support firewall-engine-debug and apply a filter on source/destination IP and generate traffic to determine what rule the traffic matches against.

Is your input interface correct? should it not be the inside interface if your source is a private IP address 10.1.1.1 or are you hairpinning traffic?

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 19:47:54 GMT

For security reasons, I don't want to post the entire output but here is the output for access-list

Re: Packet-Tracer Output (FTD 7.2.4)

MHM Cisco World — Thu, 16 May 2024 20:05:31 GMT

MHM

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 19:55:37 GMT

@Rob Ingram I tried the firewall-engine-debug but didn't get any output after trying to establish the connection. Is this written to your console output or to syslog? Additionally I updated my input interface but the ACL is still masked and not revealing the actual rule allowing the traffic.

Re: Packet-Tracer Output (FTD 7.2.4)

Rob Ingram — Thu, 16 May 2024 19:56:41 GMT

@Chuck Reimer if traffic matches the filter you applied it should display on the console.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 19:56:56 GMT

@MHM Cisco World it's just a generic PT example. I'm testing RDP access to external server in Azure

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 20:02:48 GMT

@Rob Ingram That worked perfectly after I left out the source port. I attended a session last year @ Ciscolive that went over this debug command. Forgot all about it. Thanks for the help here!!

Re: Packet-Tracer Output (FTD 7.2.4)

MHM Cisco World — Thu, 16 May 2024 20:06:01 GMT

MHM

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 20:09:08 GMT

@MHM Cisco World There is not rule in the pre-filter that would allow this traffic. I think output just says that prefilter was assigned but not necessarily used. Rob's advice worked perfectly if you ever need this info.

Re: Packet-Tracer Output (FTD 7.2.4)

Chuck Reimer — Thu, 16 May 2024 20:17:38 GMT

I guess in closing, packet-tracer is a good troubleshooting tool to determine whether the packet is allowed or not but if it is allowed and you want to determine actual rule @Rob Ingram solution works perfectly. Thanks all for the help and guidance on such a elementary question. Kind of embarrassed to ask

Re: Packet-Tracer Output (FTD 7.2.4)

MHM Cisco World — Thu, 16 May 2024 20:45:11 GMT

As you like friend.

Goodluck

MHM