cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1364
Views
0
Helpful
2
Replies

FTD Turn Off SMTP Inspection via FDM

rfranzke
Level 1
Level 1

Trying to figure out why my newly deployed FTD device still insists on inspecting SMTP traffic. Cisco Firepower 2130 Threat Defense running 7.0.1-84 code. Telnet to my Internet mail host behind my FTD on port 25 from the Internet like so:

telnet <mailhostIP> 25

I get this prompt which I assume means the FTD is doing some kind of inspection of the session:

220-***********************************************************************

220-********************************************************************

220-********************************************************************

220-********************************************************************

220-********************************************************************

220-********************************************************************

220-********************************************************************

220 ********************************************************************

I have looked around the googleverse and have done all I can find on it. First off, Email works through the device. We are getting Email. We make Email software and do not want the device mucking up our own security features so we can test them. 

Secondly, I have read you can issue the command configure inspection esmtp disable. This seems to remove the esmtp inspection from the FTD MPF global policy from this config section:

class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp

Allegedly, when you run this it removes the 'inspect esmtp' from the above configuration. My device has never had that line in its config. I ran the command just in case it did something else, but nothing changed.

I thought maybe the IDS inspection engine was doing this so I disabled IDS inspection and again no change. Still get the asterisk prompt when testing Email.

I have also seen where you are supposed to use flex config to edit a disableInspectProtocolList flexconfig object to disable the inspection. None of the examples to do this line up with anything in FDM other than the fact there is a flex config object being used. Examples make it sound like its a pre-defined list but I have no idea in FDM how to get it to show up. Maybe another penalty of using FDM to configure an FTD FW.

It does not look like my device is inspecting ESMTP based ton the MPF config I see:

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
inspect xdmcp
class class_snmp
inspect snmp
!
service-policy global_policy global

There is this in the config but I don't see where its used in my policy:

policy-map type inspect esmtp _default_esmtp_map
description Default ESMTP policy-map
parameters
mask-banner
no mail-relay
no special-character
allow-tls

Is the device able to detect you are using telnet and intercepts the smtp sessions or does it work like ASA did? Meaning it can tell its not a true SMTP session and intercepts it leaving valid SMTP servers alone? Whats the secret to turning this off? What am I missing here? Thanks in advance for the help.

2 Replies 2

Arunkumar Sathasivam
Cisco Employee
Cisco Employee

Hi rfranzke,

As per your above configuration SMTP inspection is disbaled in global policy map.

And in FTD packet processing, there is Network Analysis  preproccessing inspection will happen in the global level. By default Network Analysis policies is enabled under Access Control Policy > Advanced. Below is the URL which you will get more informaiton about Network Analysis Policies. 

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/application_layer_preprocessors.html#ID-2244-00000b49 

Note:

From FTD version 7.X you can see Snort Engine version 2&3. So please work in respective Snort engine. If you not enable Snort Engine 2, then only work on Network Analysis Policies Snort version 3

I hope above information helps for your query !! If issue is still presist, please raise a TAC support case

-----------------------------------------
You can also learn more about Secure Firewall (formerly known as NGFW) through our live Ask the Experts (ATXs) session. Check out Cisco Network Security ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-network-security-ask-the-experts-resources/ta-p/4416493] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------

rfranzke
Level 1
Level 1

Thanks very much for the reply here. So I am using FDM for managing this device. I have the Intrusion Detection policy set up for the inbound rule allowing SMTP traffic. IS this what you are referring to. I do not seem to have an “Advanced” section of the Access control policy on my device. I am using the SNORT version 3 inspectors on my device.

 

So in my case, are you saying if I disable Snort inspection for this rule, I shouldn’t see the SMTP intercept during SMTP sessions?

 

Thanks again for the reply.