04-11-2024 11:05 AM
What would be the best way to capture traffic on a subnet (192.168.1.0/24) and excluding the capture for one of the IPs withing this subnet (192.168.1.1)
Reason is I want to run the capture for a couple of days and 192.168.1.1 will fill up the buffer immediately.
Since matching an ACL is no longer supported on Cisco FTD, I'm looking for an alternative way to do the following on FTD:
access-list TEST deny ip host 192.168.1.1 any
access-list TEST permit ip any any
Thanks,
capture cap match access-list TEST
capture cap interface outside
04-11-2024 11:08 AM
Capture Cap match IP host x.x.x.x
This what you can use
MHM
04-11-2024 11:10 AM
What I'm looking for is to match the whole range (192.168.1.0/24) except for the IP address 192.168.1.1
04-11-2024 11:19 AM
Increase buffer or divide the subnet into parts and used each parts in capture I know it alot of work but it workaround at least.
MHM
04-12-2024 01:57 AM
Can check again
capture CAP interface XX ?
See what option you get
capture CAP interface xx match ?
See what option you get
MHM
04-14-2024 12:39 AM
NO need that I check in my lab
FTD not like ASA support ACL in match there is no option to add ACL
so as I mention before divide the subnet to parts and match these parts in capture command
I use two match statement in same capture and it work as I want
MHM
04-14-2024 05:35 AM
The poster wants to capture all traffic other than 192.168.1.1. Mean you would need to exclude that specific IP which is not possible. Creating specific statements for all hosts, i would assume, is not an option as it would take too much time depending on how many IPs are in the subnet. Subnetting the 192.168.1.0/24 subnet could be an option, but you would need to get very creative with that and spending time doing that might not be worth it. the best option and least time-consuming would be to set up SPAN / RSPAN on the switch port connecting to the FTD and then filter using an access list.
If you are already logging to a Syslog server then filtering on the traffic you want to inspect there might be an option if you are just looking for the connection events.
04-14-2024 05:39 AM
Friend my idea is following
10.0.0.0/24
Divide it to small subnet like
10.0.0.0/25'
And match subnet that not include IP he need to exclude.
I Know it need lot work but it workaround to limitations of ftd capture.
MHM
04-14-2024 05:52 AM
I understand what you were suggesting, but the problem there is you will still include 192.168.1.1 in the capture with a /25 network. If you start subnetting at /30 you will exclude 1 -3 and you will also have an issue as you would need to do some very creative subnetting to match the remaining IPs in the /24 subnet. This is time consuming to do an possibly not worth it. Which is why a better solution is to do SPAN / RSPAN on the uplink switch.
04-13-2024 03:36 PM
Unfortunately packet capture on the FTD does not allow for a range or ACL match, so omitting the 192.168.1.1 IP is not possible using this. The options you have are to set up SPAN / RSPAN on the uplink switch or (I have never tried this) do a tcpdump on the FTD in expert mode and filter on the required IP range. Not sure if the last would work as I have personally never tried it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide