Re: access rules firepower 1010

BornJames · ‎07-08-2023

Hi team,

have a question regarding access rules.

how come if any any eveyrhting works fine.

however when i want to allow lets say connect to facebook, and everything else disable

so i put source(inside) network(any-ipv4) ports(any) destination(outside_zone) network(FQDN facebook.com) ports (any)

so now I should have connection only to facebook, however no connection at all.

Aref Alsouqi · ‎07-09-2023

How the internal endpoints resolve facebook.com? Is that via an internal DNS server or an external one? In case you are using internal DNS, is that internal DNS server able to resolve facebook.com? Also, is the firewall able to actually resolve that FQDN? and is the firewall and the endpoints are resolving to the same IP? If not the firewall might drop the traffic if the IP addresses don't match.

BornJames · ‎07-09-2023

Hello Aref,

the DNS resolvers is the external ones.

when you say firewall able to resolve that FQDN do you mean when i do it via cli ?

becuase when i do it via CLI like this ping system facebook.com it doesnt work

Aref Alsouqi · ‎07-10-2023

Yes, to verify the firewall resolution you can try with the command "sh dns" from LINA CLI, or you can use the command "sh access-list < the ACL name>" and look at the rule where you defined the FQDN. If you are running an FTD code then you can type the command "support system diagnostic-cli" from the CLISH mode (>) and then type "enable" and hit enter with no password, that will take you to LINA CLI which is basically the ASA CLI.

BornJames · ‎07-10-2023

Hi Aref,

I dont have these commands "sh dns" "invalid command at ^ dns"

I did find an article on troubleshooting the DNS, but was surprised that I cannot run these commands

Aref Alsouqi · ‎07-10-2023

Would you mind sending the screenshot from where you are trying to apply them?

BornJames · ‎07-10-2023

i have tried through here

when running via the gui clie i get "this command is not supported"

as well as via putty

when via putty

testfirepower# sh dns

% Invalid Command at '^' marker

Aref Alsouqi · ‎07-10-2023

the (>) is what so called CLISH mode, those commands can't be run from there, however, it should have worked via the SSH connection. Did you try to issue the other command "sh access-list < the ACL name>"?, also, if you run the command "sh run dns" do you see any configuration output?

BornJames · ‎07-10-2023

im not connected via ssh but console.

I am wondering could this be becuase the license is not enabled yet ?

we havent registered the device yet

Aref Alsouqi · ‎07-10-2023

I don't believe applying the licenses would affect at least the DNS configuration. How did you get to this mode "testfirepower# " from the console? did you have to move from the CLISH mode (>) using the command "support system diagnostic-cli"? if not you might be on the FXOS line rather than LINA.

BornJames · ‎07-10-2023

we just have a console cable connected to the firewall and when I use putty to connect to it, it asks crednetials and thats it im in testfirepower# " mode

didnt have to use anything

Aref Alsouqi · ‎07-10-2023

ok then I believe you are in FXOS mode. When you are on "testfirepower#" try please to type "connect ftd", and then "support system diagnostic-cli" and then "enable" and hit enter with no password and finally issue the above commands please.

BornJames · ‎07-10-2023

Hello Aref,

It did allow me to enter the connect ftd, i got to ">" mode but when trying to enter support system diagnostic-cli it doenst let me , cnanot push space between the words or even push enter when entering just support

Aref Alsouqi · ‎07-11-2023

Apologies, that was my bad, I did invert the first two words. The command should be "system support diagnostic-cli".

BornJames · ‎07-11-2023

yeh I have tried that, it doesnt allow me to push enter on anything, it lets you enter it but when I push enter the command just stays and nothing changes