https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5213602#M1116877 <P>Please refer to this link for the "show snort statistics" command:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_8.html#wp7571291640" target="_blank">Cisco Secure Firewall Threat Defense Command Reference - show s - sz [Cisco Secure Firewall Threat Defense] - Cisco</A></P> Wed, 23 Oct 2024 11:38:56 GMT Aref Alsouqi 2024-10-23T11:38:56Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5212776#M1116821 <P>Morning,</P><P>I am having an issue with our Fastpath rules, hoping for some advice:</P><P>I have added our scanning IP ranges in to Network Objects and then created a prefilter policy to fastpath traffic from or to these addresses.</P><P>I'm unsure why but we are still seeing intrusion alerts being generated from these addresses during our periodic scans. As far as I understand the fastpath should prevent the traffic from those IPs from being inspected by the snort engine. Do I need to put it in the ACP as a Trust rule to capture existing connections as well?</P> Tue, 22 Oct 2024 08:52:04 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5212776#M1116821 RWarr100 2024-10-22T08:52:04Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5212852#M1116824 <P>Did you attach the prefilter policy to you ACP policy? if so, do you see any counters on the "show snort statistics" command on FTD CLISH mode "&gt;"?</P> Tue, 22 Oct 2024 10:39:07 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5212852#M1116824 Aref Alsouqi 2024-10-22T10:39:07Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5213587#M1116874 <P>Yes, it's attached to the ACP. I had a look in the FTDs CLI and I didn't have the option for snort statistics under the "show" command.</P> Wed, 23 Oct 2024 11:13:02 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5213587#M1116874 RWarr100 2024-10-23T11:13:02Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5213602#M1116877 <P>Please refer to this link for the "show snort statistics" command:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/firepower/command_ref/b_Command_Reference_for_Firepower_Threat_Defense/s_8.html#wp7571291640" target="_blank">Cisco Secure Firewall Threat Defense Command Reference - show s - sz [Cisco Secure Firewall Threat Defense] - Cisco</A></P> Wed, 23 Oct 2024 11:38:56 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5213602#M1116877 Aref Alsouqi 2024-10-23T11:38:56Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5214276#M1116911 <P>Thanks, I read that however when I use the show and look at all potential commands there are no snort entries. They are old devices so maybe the OS doesn't support the command?&nbsp;</P> Thu, 24 Oct 2024 08:43:04 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5214276#M1116911 RWarr100 2024-10-24T08:43:04Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5214309#M1116916 <P>Mmm, not sure. One thing you could try would be to remove that prefilter rule and create it in the ACP with a trust action. The end result would be the same.</P> Thu, 24 Oct 2024 09:34:44 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5214309#M1116916 Aref Alsouqi 2024-10-24T09:34:44Z https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5217866#M1117152 <P>prefilter is bypass Snort but as I understand you config prefilter after traffic pass FTD&nbsp;</P> <P>this make FTD build conn and hence it bypass any prefilter and make traffic inspect by snort&nbsp;</P> <P>MHM</P> Thu, 31 Oct 2024 07:27:07 GMT https://community.cisco.com/t5/network-security/fmc-prefilter-fastpath-error/m-p/5217866#M1117152 MHM Cisco World 2024-10-31T07:27:07Z