CSCwh64784 - FTD is not matching ACP rules with multiple FQDN objects

atsukane · ‎11-21-2024

Hi, any update with this bug? suppose there has not been any fix yet?

The suggested workaround isn't really feasible in reality when there are dependencies on FQDNs in a hybrid environment with many AWS/Azure based VMs.

Symptom: Traffic does not match an ACP rule which has more than one FQDN object specified as source or destination networks. Instead, another rule below will be matched.

Conditions: 1) An ACP rule is configured with more than one FQDN object as a matching condition. 2) There are no IP-based objects in source or destination networks.

Workaround: For FQDN-based rules specify only one FQDN object. If needed, create a separate rule for every FQDN that should be matched.

marce1000 · ‎11-21-2024

- The bug report refers to https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwj24828
which has fixed versions ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

atsukane · ‎11-21-2024

Thanks, I've looked at that earlier but that's for a similar bug and not the one we are after. And fixed versions don't include FTD software.

MHM Cisco World · ‎11-21-2024

Workaround is not work for you??

Also did you try DNS SI ?

In DNS SI you can specify all domain

MHM

atsukane · ‎11-21-2024

we've got a loads of hosts in AWS and Azure, so not realistic approach for us.

CSCwh64784 - FTD is not matching ACP rules with multiple FQDN objects

CSDAC and multiple FQDN objects and CSCwh64784

Bidirectional ASA ACL to FTD ACP

FQDN Objects on FTD

Cisco Secure Firewall (FTD) - How To

firepower custom URL feed in ACP rule