11-02-2021 01:11 PM
We had an ASA fail but had a spare ASA 5508-X running 6.6.1 FTD on the shelf to use as a replacement. The firewall is able to hit the Smart License server, but we don't have Threat, Malware, or URL licenses available for this ASA, and none of these licenses are enabled. Snort blocked all connections that had 'Allow' as action in the ACP, though traffic started to flow when this was changed to 'Trust'. I can kind of understand this behavior with the licenses not being applied, but we've not encountered this at other remote locations. Does this behavior seem odd?
Solved! Go to Solution.
11-04-2021 02:13 AM
Do you have IPS configured for the rules? or perhaps any other configuration that would send traffic to Snort? If you have no licenses configured and traffic gets sent to Snort then it would make sense that it will get dropped even though Allow is configured. Trust should not send traffic to Snort, but there are always exceptions to this rule. If I were you, I would place these rules into the pre-filter policy, that is if this device will not have any licenses applied to it before an actual replacement device is put into production.
11-04-2021 03:06 AM
11-04-2021 02:13 AM
Do you have IPS configured for the rules? or perhaps any other configuration that would send traffic to Snort? If you have no licenses configured and traffic gets sent to Snort then it would make sense that it will get dropped even though Allow is configured. Trust should not send traffic to Snort, but there are always exceptions to this rule. If I were you, I would place these rules into the pre-filter policy, that is if this device will not have any licenses applied to it before an actual replacement device is put into production.
11-04-2021 03:06 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide