topic FTD user and url rules not working in Network Security

FTD user and url rules not working

Chess Norris — Fri, 21 Feb 2020 16:22:40 GMT

Hello,

I have a strange issue with a FTD running latest 6.2.3 code. When using rules that requires inspection like user or url rules, the FTD will match on those rules even if it shouldn't be a match. For example I am using an Identify policy and create rules based on users and groups from Active Directory. If I create a rule that only should match on users in group A, it will match on all users no matter which group they belong to. In fact that rule will match even if the user doesn't belong to a user group at all. Same with url rules. It will match on any url rules no matter which categories I choose. Anyone have a clue on why this happen and how I can troubleshoot those inspection rules? Is it possible to see hitcounts from snort rules?

Re: FTD user and url rules not working

Ajay Saini — Mon, 22 Oct 2018 09:28:59 GMT

Hello,

How do you know that a specific rule is being hit for users not called in that rule config? Do you see events with the source ip/username being seen for a specific group in the 'table view of connection events'.

Can you show a snippet of the rule you are talking about. Ideally, if there is no match, the default rule is hit, maybe thats where the traffic is going.

HTH