topic Re: Remote VDI access not working after migration from ASA to FTD in Network Security

Remote VDI access not working after migration from ASA to FTD

NetworkMonkey101 — Thu, 30 Jan 2025 10:01:24 GMT

Hi all,

I have had a failed migration attempt due to VDI access not working after the migration and have had to roll back. I took a wireshark from the client at the time.

After the roll back I have ran some packet captures on the live ASA and the non live FTD.

Just running a capture from the FTD and ASDM.

I can see the when testing from an dummy address of 1.1.1.1 to 217.146.101.212 port 8443 traffic is allowed and natted to 172.16.230.19 as expected.

When running the same test from FTD it is failing at the SNORT inspection, something that isn’t present on the ASA. I will investigate this further as unsure if this is a cause or red herring atm.

On the FTD it would appear the correct ACLs and NAT statements are being hit. But denied by SNORT.... Should I allow a process through SNORT?

Searching for the SNORT 3 rule ID but nothing is showing..

Re: Remote VDI access not working after migration from ASA to FTD

Sheraz.Salim — Thu, 30 Jan 2025 12:16:42 GMT

Based on your observations, it appears that the migration from ASA to FTD has introduced an issue with SNORT inspection blocking traffic that was previously allowed on the ASA. Here are my thoughts.

The traffic is correctly hitting the ACLs and NAT statements on the FTD, which suggests that the basic firewall rules have been migrated successfully.
The denial by SNORT is the main difference between the ASA and FTD behavior. This is expected, as FTD includes SNORT inspection capabilities that weren't present in the ASA.

To address this issue:

Review the SNORT rule that's blocking the traffic. You mentioned searching for the SNORT 3 rule ID without success. Make sure you're using the correct rule ID format for SNORT 3, as it differs from SNORT 2.
Consider creating a prefilter rule to fastpath the traffic, bypassing SNORT inspection for this specific connection1. This can be done in the FMC under Policies > Access Control > Prefilter.
If the traffic should be inspected but allowed, you may need to tune your intrusion policy. Review the policy applied to the relevant access control rule and consider disabling or modifying the specific SNORT rule that's triggering.
Enable logging for intrusion events and review the logs to understand why SNORT is blocking the traffic. This can provide insights into potential security concerns or false positives.
Use the packet tracer feature in FMC to simulate the traffic flow and identify exactly where and why the packet is being dropped.
If you're using application-based access control, ensure that the application is correctly identified. Sometimes, updates to applications or SNORT can cause mismatches in application identification. Remember that while allowing traffic through SNORT might solve the immediate issue, it's important to understand why SNORT is blocking the traffic in the first place. This ensures you're not inadvertently introducing security vulnerabilities. If you continue to face issues, consider opening a TAC case with Cisco for further assistance, as they can provide more specific guidance based on your exact configuration and SNORT rule details.

Re: Remote VDI access not working after migration from ASA to FTD

NetworkMonkey101 — Thu, 30 Jan 2025 13:03:26 GMT

Output no prefilter

Packet Details:
09:22:08.305 - 1.1.1.1:1 > 217.146.101.212:8443 TCP
GC2_Outside(vrfid:2)

CAPTURE
Type:
CAPTURE
Result:
ALLOW
Config:
Elapsed Time:
25889 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb801f4b0, priority=13, domain=capture, deny=false
hits=140103, user_data=0xffd9c900e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=GC2_Outside, output_ifc=any

ACCESS-LIST
Type:
ACCESS-LIST
Result:
ALLOW
Config:
Implicit Rule
Elapsed Time:
25889 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb452d080, priority=1, domain=permit, deny=false
hits=5797287, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GC2_Outside, output_ifc=any

UN-NAT
| static
Type:
UN-NAT
Subtype:
static
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
19915 ns

Additional Information
NAT divert to egress interface DMZ_POD2_EXT(vrfid:2)
Untranslate 217.146.101.212/8443 to 172.16.230.19/8443

OBJECT_GROUP_SEARCH
Type:
OBJECT_GROUP_SEARCH
Result:
ALLOW
Config:
Elapsed Time:
0 ns

Additional Information
Source Object Group Match Count: 1
Destination Object Group Match Count: 2
Object Group Search: 2

ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip ifc GC2_Outside any ifc DMZ_POD2_EXT any rule-id 268443040 access-list CSM_FW_ACL_ remark rule-id 268443040: ACCESS POLICY:ACP_PCH_INTERNET Default access-list CSM_FW_ACL_ remark rule-id 268443040: L7 RULE:outside_access_horizion_block
Elapsed Time:
796 ns

Additional Information
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffb40ab910, priority=12, domain=permit, deny=false
hits=2, user_data=0x5586a1da00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=GC2_Outside(vrfid:2)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=DMZ_POD2_EXT(vrfid:2),, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

CONN-SETTINGS
Type:
CONN-SETTINGS
Result:
ALLOW
Config:
class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffe29e22d0, priority=7, domain=conn-set, deny=false
hits=17335, user_data=0xffe29dec20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
Type:
NAT
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
796 ns

Additional Information
Static translate 1.1.1.1/1 to 1.1.1.1/1
Forward Flow based lookup yields rule:
in id=0xffb9add2f0, priority=6, domain=nat, deny=false
hits=1368, user_data=0xffb93fe170, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=217.146.101.212, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93756, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb4532010, priority=0, domain=inspect-ip-options, deny=true
hits=58065, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

FOVER
| standby-update
Type:
FOVER
Subtype:
standby-update
Result:
ALLOW
Config:
Elapsed Time:
34709 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffdc592590, priority=20, domain=lu, deny=false
hits=14309, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
| rpf-check
Type:
NAT
Subtype:
rpf-check
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
10242 ns

Additional Information
Forward Flow based lookup yields rule:
out id=0xffb9add720, priority=6, domain=nat-reverse, deny=false
hits=1278, user_data=0xffb8277c50, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
71125 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
1707 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0xffd84dcdf0, priority=0, domain=inspect-ip-options, deny=true
hits=14497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=DMZ_POD2_EXT(vrfid:2), output_ifc=any

FLOW-CREATION
Type:
FLOW-CREATION
Result:
ALLOW
Config:
Elapsed Time:
63159 ns

Additional Information
New flow created with id 68454, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

EXTERNAL-INSPECT
Type:
EXTERNAL-INSPECT
Result:
ALLOW
Config:
Elapsed Time:
23329 ns

Additional Information
Application: 'SNORT Inspect'

SNORT
| appid
Type:
SNORT
Subtype:
appid
Result:
ALLOW
Config:
Elapsed Time:
15760 ns

Additional Information
service: (0), client: (0), payload: (0), misc: (0)

SNORT
| firewall
Type:
SNORT
Subtype:
firewall
Result:
DROP
Config:
Network 0, Inspection 0, Detection 4, Rule ID 268443040
Elapsed Time:
291876 ns

Additional Information
Starting rule matching, zone 41 -> 14, geo 840 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268443040 - Block

Result: drop
Input Interface:
GC2_Outside(vrfid:2)
Input Status:
up
Input Line Status:
up
Output Interface:
DMZ_POD2_EXT(vrfid:2)
Output Status:
up
Output Line Status:
up
Action:
drop
Time Taken:
587580 ns
Drop Reason:
(firewall) Blocked or blacklisted by the firewall preprocessor
Drop Detail:
Drop-location: frame 0x000000aaaec0a208 flow (NA)/NA
DMZ_POD2_EXT(vrfid:2)

Output with prefilter

Packet Details:
12:43:15.40 - 1.1.1.1:1 > 217.146.101.212:8443 TCP
GC2_Outside(vrfid:2)

CAPTURE
Type:
CAPTURE
Result:
ALLOW
Config:
Elapsed Time:
27596 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb801f4b0, priority=13, domain=capture, deny=false
hits=140105, user_data=0xffd9c900e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=GC2_Outside, output_ifc=any

ACCESS-LIST
Type:
ACCESS-LIST
Result:
ALLOW
Config:
Implicit Rule
Elapsed Time:
27596 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb452d080, priority=1, domain=permit, deny=false
hits=5797288, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GC2_Outside, output_ifc=any

UN-NAT
| static
Type:
UN-NAT
Subtype:
static
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
21622 ns

Additional Information
NAT divert to egress interface DMZ_POD2_EXT(vrfid:2)
Untranslate 217.146.101.212/8443 to 172.16.230.19/8443

OBJECT_GROUP_SEARCH
Type:
OBJECT_GROUP_SEARCH
Result:
ALLOW
Config:
Elapsed Time:
0 ns

Additional Information
Source Object Group Match Count: 1
Destination Object Group Match Count: 2
Object Group Search: 2

ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced trust ip ifc GC2_Outside any ifc DMZ_POD2_EXT object DMZUAG_VIP4 rule-id 268443041 event-log flow-end access-list CSM_FW_ACL_ remark rule-id 268443041: PREFILTER POLICY: PF_PCH_INTERNET access-list CSM_FW_ACL_ remark rule-id 268443041: RULE: VDI-ALLOW
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffd23867f0, priority=12, domain=permit, trust
hits=0, user_data=0x5588911880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=GC2_Outside(vrfid:2)
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, ifc=DMZ_POD2_EXT(vrfid:2),, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Additional Information
Forward Flow based lookup yields rule:
in id=0xffe29e22d0, priority=7, domain=conn-set, deny=false
hits=17336, user_data=0xffe29dec20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
Type:
NAT
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
796 ns

Additional Information
Static translate 1.1.1.1/1 to 1.1.1.1/1
Forward Flow based lookup yields rule:
in id=0xffb9add2f0, priority=6, domain=nat, deny=false
hits=1369, user_data=0xffb93fe170, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=217.146.101.212, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb4532010, priority=0, domain=inspect-ip-options, deny=true
hits=58066, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

FOVER
| standby-update
Type:
FOVER
Subtype:
standby-update
Result:
ALLOW
Config:
Elapsed Time:
34709 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffdc592590, priority=20, domain=lu, deny=false
hits=14310, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
| rpf-check
Type:
NAT
Subtype:
rpf-check
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
10811 ns

Additional Information
Forward Flow based lookup yields rule:
out id=0xffb9add720, priority=6, domain=nat-reverse, deny=false
hits=1279, user_data=0xffb8277c50, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
60883 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93760, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
2276 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0xffd84dcdf0, priority=0, domain=inspect-ip-options, deny=true
hits=14498, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=DMZ_POD2_EXT(vrfid:2), output_ifc=any

FLOW-CREATION
Type:
FLOW-CREATION
Result:
ALLOW
Config:
Elapsed Time:
58038 ns

Additional Information
New flow created with id 68481, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
| Resolve Preferred Egress interface
Type:
INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype:
Resolve Preferred Egress interface
Result:
ALLOW
Config:
Elapsed Time:
26174 ns

Additional Information
Found next-hop 172.16.230.19 using egress ifc DMZ_POD2_EXT(vrfid:2)

Result: drop
Input Interface:
GC2_Outside(vrfid:2)
Input Status:
up
Input Line Status:
up
Output Interface:
DMZ_POD2_EXT(vrfid:2)
Output Status:
up
Output Line Status:
up
Action:
drop
Time Taken:
273685 ns
Drop Reason:
(no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop.
Drop Detail:
Drop-location: frame 0x000000aaad9e1cac flow (NA)/NA
DMZ_POD2_EXT(vrfid:2)

The FTD has not been migrated yet and interfaces are not up. Is this the reason why the error - (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop is showing in the packet capture

Re: Remote VDI access not working after migration from ASA to FTD

Sheraz.Salim — Thu, 30 Jan 2025 13:30:28 GMT

So based on the packet capture, there are two scenarios one without a prefilter and one with a prefilter.
The packet is dropped by SNORT inspection due to Rule ID 268443040. The result shows:

SNORT | firewall Type: SNORT Subtype: firewall Result: DROP Config: Network 0, Inspection 0, Detection 4, Rule ID 268443040

The drop reason is given as "(firewall) Blocked or blacklisted by the firewall preprocessor". With Prefilter: The packet is allowed to pass through without being dropped by SNORT. The key difference is in the ACCESS-LIST section

ACCESS-LIST | log Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced trust ip ifc GC2_Outside any ifc DMZ_POD2_EXT object DMZUAG_VIP4 rule-id 268443041 event-log flow-end access-list CSM_FW_ACL_ remark rule-id 268443041: PREFILTER POLICY: PF_PCH_INTERNET access-list CSM_FW_ACL_ remark rule-id 268443041: RULE: VDI-ALLOW

This prefilter rule (268443041) allows the traffic to bypass SNORT inspection, effectively resolving the issue of the packet being dropped.

"The FTD has not been migrated yet and interfaces are not up. Is this the reason why the error - (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop is showing in the packet capture"

The FTD's interfaces are currently down due to a pending migration. This explains the "no-v4-adjacency" error and the lack of a valid ARP entry for the nexthop in the packet capture. Once the migration is complete and the interfaces are up, the ARP table should populate, and the packet trace should succeed.

Hope this help 🙂

Re: Remote VDI access not working after migration from ASA to FTD

NetworkMonkey101 — Thu, 30 Jan 2025 14:02:12 GMT

Thanks for your reply Sheraz.

I am unable to locate the rule within SNORT3

by filtering by the rule id nothing shows..

Also can you confirm if it is recommended to add a prefilter or amend the current SNORT3 rule which is blocking the connection?

What are the benefits and negatives for each method?

Re: Remote VDI access not working after migration from ASA to FTD

Sheraz.Salim — Thu, 30 Jan 2025 15:58:48 GMT

@NetworkMonkey101search 26844 it does show up.

Prefiltering
Improved performance: Prefiltering occurs early in the inspection process, allowing for faster handling of traffic. Reduced resource usage: By quickly handling certain types of traffic, prefiltering can reduce the load on subsequent, more resource-intensive inspections. Ability to fastpath or block specific traffic: Prefiltering can quickly handle plaintext, passthrough tunnels based on outer encapsulation headers. Information taken from here.

Negatives

Limited criteria: Prefilter rules use simple network criteria like IP address, VLAN tag, port, and protocol, which may not be as granular as full Snort rules. Less flexibility: Prefiltering has fewer actions available compared to full access control rules.Here is the link

Snort 3 rule Benefits:

More granular control: Snort rules can use more robust criteria, including application-layer information Benefits
Wider range of actions: Snort rules offer more actions, including alert, block, drop, log, and pass link here
Deep packet inspection: Snort can perform more thorough analysis of packet contents link here

Negatives:

Higher resource usage: Full Snort rule processing can be more resource-intensive than prefiltering here the link but already shared above
Potential performance impact: Processing all traffic through Snort rules may lead to slower overall performance compared to prefiltering

The choice between prefiltering and amending the Snort 3 rule depends on your specific requirements. If performance is a primary concern and the traffic can be effectively filtered using simple criteria, prefiltering may be the better option. However, if you need more granular control and deeper inspection capabilities, modifying the Snort 3 rule would be more appropriate.