https://community.cisco.com/t5/network-security/firepower-logging-issue/m-p/3806977#M948125 <P>Hi everybody,</P> <P>&nbsp;</P> <P>we are working on project implementation and found the syslog&nbsp;message from FirePOWER have some mismatch to the defined ACP's rules. Does anybody <SPAN style="background-color: #f6d5d9;">see&nbsp;</SPAN>this issue before? we are running v6.2.3 patch 4, thank you.</P> <P>&nbsp;</P> <P>say for example.&nbsp;</P> <P>A DNS policy have hit by the 443 traffic but the AD-DNS rules only allow TCP &amp; UDP 53 port</P> <P>&nbsp;</P> <P>Jan Date&nbsp; Firepower-module1 SFIMS: Protocol: UDP, SrcIP: 192.168.x.x, OriginalClientIP: ::, DstIP: 192.168.x.x, , SrcPort: 55775, DstPort: <STRONG>443</STRONG>, Flags: 0x0, IngressZone: Outside, EgressZone: Inside, DE: Primary Detection Engine (x.x.x.x), Policy: Office-Firewall_Policy, ConnectType: End, AccessControlRuleName:&nbsp; <STRONG>AD DNS</STRONG>, AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 85, ResponderBytes: 233, NAPPolicy: Balanced Security and Connectivity, DNSQuery: outlook.office365.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_T</P> Fri, 21 Feb 2020 16:50:51 GMT ray_lau 2020-02-21T16:50:51Z https://community.cisco.com/t5/network-security/firepower-logging-issue/m-p/3806977#M948125 <P>Hi everybody,</P> <P>&nbsp;</P> <P>we are working on project implementation and found the syslog&nbsp;message from FirePOWER have some mismatch to the defined ACP's rules. Does anybody <SPAN style="background-color: #f6d5d9;">see&nbsp;</SPAN>this issue before? we are running v6.2.3 patch 4, thank you.</P> <P>&nbsp;</P> <P>say for example.&nbsp;</P> <P>A DNS policy have hit by the 443 traffic but the AD-DNS rules only allow TCP &amp; UDP 53 port</P> <P>&nbsp;</P> <P>Jan Date&nbsp; Firepower-module1 SFIMS: Protocol: UDP, SrcIP: 192.168.x.x, OriginalClientIP: ::, DstIP: 192.168.x.x, , SrcPort: 55775, DstPort: <STRONG>443</STRONG>, Flags: 0x0, IngressZone: Outside, EgressZone: Inside, DE: Primary Detection Engine (x.x.x.x), Policy: Office-Firewall_Policy, ConnectType: End, AccessControlRuleName:&nbsp; <STRONG>AD DNS</STRONG>, AccessControlRuleAction: Allow, AccessControlRuleReason: Intrusion Block, Prefilter Policy: Default Prefilter Policy, UserName: No Authentication Required, Client: DNS client, ApplicationProtocol: DNS, IPSCount: 1, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 85, ResponderBytes: 233, NAPPolicy: Balanced Security and Connectivity, DNSQuery: outlook.office365.com, DNSRecordType: a host address, DNSResponseType: No Error, DNS_T</P> Fri, 21 Feb 2020 16:50:51 GMT https://community.cisco.com/t5/network-security/firepower-logging-issue/m-p/3806977#M948125 ray_lau 2020-02-21T16:50:51Z https://community.cisco.com/t5/network-security/firepower-logging-issue/m-p/3807228#M948126 <P>Maybe this is DNS over HTTPS?</P> <P>&nbsp;</P> <P><A href="https://support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default" target="_blank">https://support.umbrella.com/hc/en-us/articles/360001371526-Firefox-and-DNS-over-HTTPS-default</A></P> <P>&nbsp;</P> <P><A href="https://developers.google.com/speed/public-dns/docs/dns-over-https" target="_blank">https://developers.google.com/speed/public-dns/docs/dns-over-https</A></P> <P>&nbsp;</P> <P>I do not know how your Firepower rules are set up. But the Firepower may be detecting this as DNS if your condition is to match DNS application rather than tcp/ udp 53.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 21 Feb 2019 22:22:11 GMT https://community.cisco.com/t5/network-security/firepower-logging-issue/m-p/3807228#M948126 Rahul Govindan 2019-02-21T22:22:11Z