After applying in the FTD a rule to block the Teamviewer application for the internal hosts to internet (INSIDE to OUTSIDE),
I found in LINA this:
FTD-5516X-XXX# show access-list CSM_FW_ACL_ | i 268434489
access-list CSM_FW_ACL_ line 219 remark rule-id 268434489: ACCESS POLICY: ACP-XXX - Mandatory
access-list CSM_FW_ACL_ line 220 remark rule-id 268434489: L7 RULE: BLOCK TEAM VIEWER
access-list CSM_FW_ACL_ line 221 advanced permit ip ifc INSIDE any ifc OUTSIDE any rule-id 268434489 (hitcnt=514521) 0x38d32427
The application has been blocked but is allowing everything from INSIDE to OUTSIDE (when application is not matching).
Is normal this behaviour or what can I do to avoid that rule not allow the traffic in line 221 ?
What is the default action of the policy? (shown here in my firepower management center)
It should be set to "Block", I think yours might be "allow"
The default action is se to block all. See image. A default action set to other must add: permit ip any any (without zones).
Note the rule blocking the Application (Teamviewer in this case) is adding the permit action.
As a workaround I am looking to define a specific protocol in the same rule (for example icmp echo) and it is working (it adds only icmp echo). But this is a rare the behaviour, don´t think so ? There must be a better way to tune this.