Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2093
Views
5
Helpful
3
Replies

ASA 5516 / FirePower - Restricted packets showing as allowed

Quintin.Mayo
Level 2
Level 2

‎05-20-2020 10:23 AM

Hi,

 

When checking firepower dashboard, saw a number of connection events that should have been dropped were showing as "would have been dropped" indicating the packets were allowed to flow when they shouldn't have. I'll attach screen shots of a few of these. Can anyone inform why this behavior is having? Any assistance will be appreciated.

 

Thanks,

Preview file
36 KB
Preview file
30 KB
0 Helpful
3 Replies 3

tebedwel
Cisco Employee
Cisco Employee

‎05-20-2020 12:10 PM

Hello Quintin,

 

The screenshot you are showing of the packet view is associated with an Intrusion event (aka IPS event). In your particular example, the traffic in question is matching the signature 1:53598:2 (gid:sid:rev).

 

The "would have dropped" action is generally evidence of an Intrusion policy that does not have "Drop when inline" setting configured, or you are connected to a "passive" interface (Such as a span port from a switch to a single interface on the FTD). Check your configured Intrusion policies Policies->Intrusion and take a look at the "Drop when Inline" setting. Here is what mine looks like:

 

ips_policy.png

 

I hope it helps!

Quintin.Mayo
Level 2
Level 2
In response to tebedwel

‎05-29-2020 08:31 AM

Hi,

We found that no interfaces are set with a security zone in FMC, and when looking at the firepower module in the ASA that all interfaces are set as ASA for the type. Also, Keelyn confirmed the drop when inline box was checked, and noted the base policy is set for connectivity over security.

Do the interfaces need to be configured with a security zone in FMC for this to work, or should this work as it is configured currently?

Also, is the recommended base policy for it to be set to balanced security and connectivity?

I've attached screenshots to go with this as well.

Thanks for your assistance it's greatly appreciated!
0 Helpful

Quintin.Mayo
Level 2
Level 2
In response to Quintin.Mayo

‎05-29-2020 08:34 AM

Hi,

Below are the attachments for our configuration. Please review and any suggestions would be appreciated!

 

Thanks

Preview file
65 KB
Preview file
28 KB
Preview file
24 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card