topic Re: FTD 7.4 ACP rule matching: host vs object-group in Network Security

FTD 7.4 ACP rule matching: host vs object-group

TSOL — Thu, 18 Dec 2025 06:30:27 GMT

Hello Experts,

I have a question regarding the behavior of Access Control Policy (ACP) on Cisco Secure Firewall Threat Defense (FTD) 7.4.

Environment:
- FTD 7.4
- Managed by FDM
- IPv4 only
- Access Control Policy in use

Configuration:
1. Rule #1 (Top rule)
- Action: Allow
- Source Network: Single host object (e.g. host_test2)
- Destination: any
- Other conditions: any

2. Rule #2 (Lower rule)
- Action: Block
- Source Network: Object-group (TEST-Group)
- TEST-Group includes host_test2
- Destination: IPv4-any
- Other conditions: any

Observed behavior:
When traffic is sent from host_test2, it is blocked by Rule #2 instead of being allowed by the top Allow rule (Rule #1).

Connection Events confirm that the Block rule using the object-group is the matched rule.

Verified:
- Rule order is correct (Allow rule is above Block rule)
- This is not caused by NAT or asymmetric routing

Official documentation reviewed:
The following Cisco document explains that ACP evaluation is performed by the Snort engine, but I could not find a clear specification about precedence between a single host object and an object-group.

- Clarify the Firepower Threat Defense Access Control Architecture
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

Questions:
1. In FTD 7.4 ACP matching, are there cases where a rule using an object-group
that includes a specific host matches traffic instead of a higher rule
using that single host?

2. Is this type of configuration — using a single host and an object-group
containing that host in separate ACP rules — something that should be
avoided as a best practice?

If there is any official documentation or Cisco TAC guidance regarding this behavior, I would appreciate it.

Thank you in advance.

Re: FTD 7.4 ACP rule matching: host vs object-group

balaji.bandi — Thu, 18 Dec 2025 07:19:36 GMT

When traffic is sent from host_test2

What kind of traffic and what is the destination? TEST-Group includes host_test2 (so return traffic you are blocking) - what is the intention of this testing?

Re: FTD 7.4 ACP rule matching: host vs object-group

Cristian Matei — Thu, 18 Dec 2025 10:53:51 GMT

Hi,

Assuming both rule are configured within same section (Mandatory or Default), and given the rules are configured as you've mentioned, this sounds like a bug (did you somehow reorder the rules, like your first rule was initially the second one and you've changed order afterwards?), or a misconfiguration, maybe your host_test2 object is not configured properly.

Can you delete the ACP rules, create new objects and objects-groups and ensure you're matching correctly on what you need to match, create the ACP rules again and test again? If still not working, can you get to FTD CLI and paste the output of command "show access-list CSM_FW_ACL_" and mention what is the IPv4 address of the host's traffic that should match on first rule?

Thanks,

Cristian.