cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


268
Views
0
Helpful
2
Replies
Beginner

FTD access policy unexpected beheviour after applying a rule to block Teamviewer Application.

Hi, experts.

After applying in the FTD a rule to block the Teamviewer application for the internal hosts to internet (INSIDE to OUTSIDE),

I found in LINA this:

 

FTD-5516X-XXX# show access-list CSM_FW_ACL_ | i 268434489
access-list CSM_FW_ACL_ line 219 remark rule-id 268434489: ACCESS POLICY: ACP-XXX - Mandatory
access-list CSM_FW_ACL_ line 220 remark rule-id 268434489: L7 RULE: BLOCK TEAM VIEWER
access-list CSM_FW_ACL_ line 221 advanced permit ip ifc INSIDE any ifc OUTSIDE any rule-id 268434489 (hitcnt=514521) 0x38d32427

 

The application has been blocked but is allowing everything from INSIDE to OUTSIDE (when application is not matching).

Is normal this behaviour or what can I do to avoid that rule not allow the traffic in line 221 ?

Regards.

Everyone's tags (3)
2 REPLIES 2
Beginner

Re: FTD access policy unexpected beheviour after applying a rule to block Teamviewer Application.

What is the default action of the policy? (shown here in my firepower management center)

 

It should be set to "Block", I think yours might be "allow"

 

default action fmc.JPG

Beginner

Re: FTD access policy unexpected beheviour after applying a rule to block Teamviewer Application.

The default action is se to block all. See image. A default action set to other must add: permit ip any any (without zones).

Note the rule blocking the Application (Teamviewer in this case) is adding the permit action.

As a workaround I am looking to define a specific protocol in the same rule (for example icmp echo) and it is working (it adds only icmp echo). But this is a rare the behaviour, don´t think so ?  There must be a better way to tune this.

 

RULES.png