topic Re: Does the IPS/Snort checks the VPN traffic in Network Security

Does the IPS/Snort checks the VPN traffic

cmarin — Tue, 23 Jul 2024 14:41:29 GMT

Hi Fellas,

I have a question, regarding how the ASA with IPS module or Firepower with intrusion policy is able to check VPN traffic.

The traffic is coming from a L2L tunnel and does a U turn pointing to a VTI so the traffic never pass through the device.
So in the config it just hits the NAT and the static route and never is being checked by an ACL or policy.

Is there a way the IPS/Snort inspect that traffic?

The only thing I have in mind is disable the sysopt connection permit-vpn and set a outside ALC or ACP pointing to the outside zone but I am not sure.

I'll be waiting for your guidance.

Thanks in advance.

Re: Does the IPS/Snort checks the VPN traffic

MHM Cisco World — Tue, 23 Jul 2024 14:53:41 GMT

Use prefilter fastpath it better than use ACL

MHM

Re: Does the IPS/Snort checks the VPN traffic

Marvin Rhoads — Tue, 23 Jul 2024 16:15:32 GMT

@cmarin the solution you mentioned would work if you wanted to "force" inspection. Normally the traffic would not go through the DAQ and into Snort due to the sysopt parameter you mentioned.

Re: Does the IPS/Snort checks the VPN traffic

cmarin — Tue, 23 Jul 2024 16:53:57 GMT

So just let me confirm, if I disable the sysopt connection permit-vpn I will be force to set ACLs or ACPs to allow the VPN traffic so in that way I could enable the intrusion policy for those specific lines to be checked.
I will try to test it and let you know.

Thank you.

Re: Does the IPS/Snort checks the VPN traffic

rickbnet — Tue, 24 Sep 2024 11:25:46 GMT

Correct. The sysopt conn permit is going to bypass any zone/interface for the traffic coming in on a tunnel. Now, you could put a vpn filter on the side of concern to control pre-encrypted/post-decrypted traffic, but in my testing I did not see that run across snort. If you disable the sysopt command, any traffic coming in, tunnel or not, is going to run across that zone/interface ACL. Then just specify the IPS policy on the ACE for the traffic you are wanting inspected. I would be cautious when disabling that option, as it is global. The FMC/FTDs sure make it seem as a per tunnel basis, but it is not. If other tunnels are terminating to this firewall and relying on the sysopt command, and no reverse rules to allow traffic in from the other peers are in place, traffic will begin to be dropped.