topic Re: Is PBR actually pushing traffic down VTI tunnels on FTD? in Network Security

Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Thu, 20 Mar 2025 17:12:39 GMT

Hi,

I have three VTI tunnels using ECMP.

I would like to push traffic from 10.167.0.0/19 down these tunnels using PBR.

After making the change users can still get to the internet but I am unsure if PBR is working or is the traffic just going out thr OUTSIDE interface and not the VTI (via the OUTSIDE) Interface

I did a packet tracer and here are the results.

How can i test and prove this is working as expected?

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

balaji.bandi — Fri, 21 Mar 2025 00:27:03 GMT

What is your Route-map and routing look like :

Check some example PBR to get an idea of how you can create:

https://docs.defenseorchestrator.com/cdfmc/t-configuration-example-for-policy-based-routing.html

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/217588-configure-pbr-with-ip-slas-for-dual-isp.html

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Fri, 21 Mar 2025 06:18:05 GMT

Ok thanks. I only did the PBR part. Is the route map required always aswell
As the flex config? Which parts are essential?

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

balaji.bandi — Fri, 21 Mar 2025 07:46:56 GMT

check the document which explain how you can do.

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Fri, 21 Mar 2025 08:31:14 GMT

I have read the document but I am trying to send the traffic down 3 VTIs using ECMP.. Can that not be done using static routes?

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

jameswood32 — Fri, 21 Mar 2025 08:58:39 GMT

Yes, PBR (Policy-Based Routing) can push traffic down VTI (Virtual Tunnel Interface) tunnels on FTD (Firepower Threat Defense), but it depends on the specific configuration. PBR allows for routing traffic based on policies, which can include routing traffic over a VTI tunnel, depending on the conditions specified in the policy.

To confirm it's working, make sure the following are in place:

Correct PBR Policy – Ensure the PBR policy is set to direct traffic to the VTI tunnel.
VTI Configuration – The VTI should be properly configured for IPsec VPN or other relevant tunneling protocols.
Routing Table – Verify that the routing table reflects the PBR changes and directs the traffic as intended.

You can check the traffic flow and logs to ensure the traffic is indeed using the VTI tunnel when the PBR policy is applied. If you’re still facing issues, it might help to verify your policy conditions or inspect the tunnel's status.

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Fri, 21 Mar 2025 09:12:11 GMT

Are you saying that static routes and route maps are not required to get this to work and it can all be done via device > routing > pbr

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Fri, 21 Mar 2025 11:43:51 GMT

I have setup PBR and ran a packet capture here are the results. I am unsure if the traffic for 10.167.0.0/19 is being pushed down the VTI tunnels or just leaving the OUTSIDE interface. As mentioned the VTIs use the OUTSIDE interface so would they should as a hop or would it just state VTI?

Interface: Ethernet1/1.1505
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: 10.167.10.1
Source Port: 1
Source SPI:
Destination Type: IPv4
Destination IP value: 8.8.8.8
Destination port: 443
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: SRHT-DC2-PFW-GAMMA
Run trace on all cluster members: false

Device details
Name: SRHT-DC2-PFW-GAMMA
ID: bd7d4e02-62a9-11ee-9301-d6c0937bc89e
Type: Device

Phase 1
ID: 1
Type: ACCESS-LIST
Result: ALLOW
Config: Implicit Rule
Additional Information: Forward Flow based lookup yields rule: in id=0x14e0b75f50c0, priority=1, domain=permit, deny=false hits=3490144848, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=VRF_GAMMA_GUEST, output_ifc=any
Elapsed Time: 10235 ns

Phase 2
ID: 2
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information: Input route lookup returned ifc GAMMA_OUTSIDE:GAMMA_OUTSIDE is not same as existing ifc Secure_Boundary:RM3-NCA-RN5_Gam1ADoing adjacency lookup on existing ifc Secure_Boundary:RM3-NCA-RN5_Gam1A
Elapsed Time: 13350 ns

Phase 3
ID: 3
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information: Input route lookup returned ifc GAMMA_OUTSIDE:GAMMA_OUTSIDE is not same as existing ifc Secure_Boundary:RM3-NCA-RN6_Gam1BDoing adjacency lookup on existing ifc Secure_Boundary:RM3-NCA-RN6_Gam1B
Elapsed Time: 890 ns

Phase 4
ID: 4
Type: SUBOPTIMAL-LOOKUP
Subtype: suboptimal next-hop
Result: ALLOW
Config:
Additional Information: Input route lookup returned ifc GAMMA_OUTSIDE:GAMMA_OUTSIDE is not same as existing ifc Secure_Boundary:RM3-NCA-RN7_Gam1CDoing adjacency lookup on existing ifc Secure_Boundary:RM3-NCA-RN7_Gam1C
Elapsed Time: 1335 ns

Phase 5
ID: 5
Type: PBR-LOOKUP
Subtype: policy-route
Result: ALLOW
Config: route-map FMC_GENERATED_PBR_1741891693329 permit 5 match ip address Allow-WIFI-Guest set adaptive-interface cost RM3-NCA-RN5_Gam1A RM3-NCA-RN6_Gam1B RM3-NCA-RN7_Gam1C
Additional Information: Matched route-map FMC_GENERATED_PBR_1741891693329, sequence 5, permit
Elapsed Time: 890 ns

Phase 6
ID: 6
Type: IMPORTED-ROUTE
Subtype: vrf imported route
Result: ALLOW
Config:
Additional Information: in 0.0.0.0 0.0.0.0 via 0.0.0.0, GAMMA_OUTSIDE (Imported Route) - 12
Elapsed Time: 1335 ns

Phase 7
ID: 7
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information: Found next-hop 0.0.0.0 using egress ifc GAMMA_OUTSIDE(vrfid:0)
Elapsed Time: 445 ns

Phase 8
ID: 8
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit ip any any rule-id 268451843 access-list CSM_FW_ACL_ remark rule-id 268451843: ACCESS POLICY: GAMMA_PFW_ACP - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268451843: L7 RULE: ICMP Everywhere
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x14e0b95b4a80, priority=12, domain=permit, deny=false hits=573906595, user_data=0x14e195ffcc00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2581 ns

Phase 9
ID: 9
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x14e0bbb85c20, priority=7, domain=conn-set, deny=false hits=202268459, user_data=0x14e0b5d61760, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=VRF_GAMMA_GUEST(vrfid:1), output_ifc=any
Elapsed Time: 2581 ns

Phase 10
ID: 10
Type: NAT
Result: ALLOW
Config: nat (VRF_GAMMA_GUEST,GAMMA_OUTSIDE) source static SCO-Guest-Range obj-164.39.215.59
Additional Information: Static translate 10.167.10.1/1 to 164.39.215.59/1 Forward Flow based lookup yields rule: in id=0x14e1d60880e0, priority=6, domain=nat, deny=false hits=156724505, user_data=0x14e1d49d76f0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=10.167.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=VRF_GAMMA_GUEST(vrfid:1), output_ifc=GAMMA_OUTSIDE(vrfid:0)
Elapsed Time: 2581 ns

Phase 11
ID: 11
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x14e1b59269c0, priority=0, domain=nat-per-session, deny=false hits=2141715424, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 2581 ns

Phase 12
ID: 12
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x14e0b49cb6c0, priority=0, domain=inspect-ip-options, deny=true hits=208145808, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=VRF_GAMMA_GUEST(vrfid:1), output_ifc=any
Elapsed Time: 2581 ns

Phase 13
ID: 13
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x14e0b8e53260, priority=20, domain=lu, deny=false hits=123574343, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=VRF_GAMMA_GUEST(vrfid:1), output_ifc=any
Elapsed Time: 8900 ns

Phase 14
ID: 14
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config: nat (VRF_GAMMA_GUEST,GAMMA_OUTSIDE) source static SCO-Guest-Range obj-164.39.215.59
Additional Information: Forward Flow based lookup yields rule: out id=0x14e1d24ceb30, priority=6, domain=nat-reverse, deny=false hits=159691429, user_data=0x14e1dd1a5a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=10.167.0.0, mask=255.255.224.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=VRF_GAMMA_GUEST(vrfid:1), output_ifc=GAMMA_OUTSIDE(vrfid:0)
Elapsed Time: 2670 ns

Phase 15
ID: 15
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x14e1b59269c0, priority=0, domain=nat-per-session, deny=false hits=2141715426, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=any, output_ifc=any
Elapsed Time: 15575 ns

Phase 16
ID: 16
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x14e1cfb65c00, priority=0, domain=inspect-ip-options, deny=true hits=1722361105, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none input_ifc=GAMMA_OUTSIDE(vrfid:0), output_ifc=any
Elapsed Time: 0 ns

Phase 17
ID: 17
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 1671614994, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_translatesnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 11125 ns

Phase 18
ID: 18
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 9790 ns

Phase 19
ID: 19
Type: SNORT
Result: ALLOW
Config:
Additional Information: Snort Trace:Packet: TCP, SYN, seq 2113366982Session: new snort sessionAppID: service DNS over HTTPS (4624), application unknown (0)Firewall: starting AC rule matching, zone 20 -> 3, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0Firewall: allow rule, id 268440591, allowSnort id 0, NAP id 3, IPS id 0, Verdict PASS, Blocked by SSLSnort Verdict: (pass-packet) allow this packet
Elapsed Time: 391600 ns

Phase 20
ID: 20
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information: Found next-hop 164.39.215.37 using egress ifc GAMMA_OUTSIDE(vrfid:0)
Elapsed Time: 4005 ns

Phase 21
ID: 21
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information: Found adjacency entry for Next-hop 164.39.215.37 on interface GAMMA_OUTSIDEAdjacency :ActiveMAC address 0000.0c07.ac01 hits 490719309 reference 129272
Elapsed Time: 1335 ns

Result
Input Interface: VRF_GAMMA_GUEST(vrfid:1)
Input Status: up
Input Line Status: up
Output Interface: GAMMA_OUTSIDE(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 486385 ns

Re: Is PBR actually pushing traffic down VTI tunnels on FTD?

NetworkMonkey101 — Fri, 21 Mar 2025 14:09:16 GMT

The imported route is to the outside but I have no idea where this is coming from?

I have tested from a working FTD on another network and the PBR there is picking up the next hop.

Why is this not on mine?