Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4234
Views
4
Helpful
5
Replies

Best way confirm which ACL or Policies allow certain traffic on FTD

CiscoBrownBelt
Level 6
Level 6

‎03-30-2023 12:52 PM

When doing packet tracer or captures, ACL part may say the 2 different outputs below. I am basically trying to confirm which rules allow certain traffic and there are many rules and many do not make sense or show hits.

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

MAC Access list

 

or reference 

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600
access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: XXXX-FTD2140-Local-Sensor_ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: testRule
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

5 Replies 5

MHM Cisco World
VIP
VIP

‎03-30-2023 01:17 PM

can you more elaborate 
thanks 
MHM

CiscoBrownBelt
Level 6
Level 6
In response to MHM Cisco World

‎03-31-2023 04:44 AM

 I am trying to determine what is not needed as many show ZERO hits but I am having trouble confirming exactly how traffic is being allowed in. I don't have any tunneled traffic.

FTD2140 managed by FMC.

0 Helpful

tvotna
Spotlight
Spotlight

‎03-31-2023 10:49 AM

The first one shown by the packet-tracer is a default Lina L2 ACL (MAC ACL). Ignore it if you're using routed mode. The second one is a Lina ACL rule. This information may be of some relevance if connection hits a fastpath prefilter rule. Otherwise, it may not point to an actual rule which allows or drops traffic in Snort. In other to identify ACP rule which match your connection you need to either use "capture /trace" and then find a packet with Snort verdict or "system support firewall-engine-debug" or "system support trace".

For Snort ACP rules you can also use

system access-control clear-rule-counts

and

show rule hits

 

CiscoBrownBelt
Level 6
Level 6
In response to tvotna

‎03-31-2023 11:49 AM - edited ‎03-31-2023 11:53 AM

Great info I will look into these commands. These debugs pretty intensive (running on prod so..)?

I you referencing Snort in the packet-tracer? This is what I get when trying to check one subnet how it enters?


Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 769230991
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268441600, pending URL
Snort id 10, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

 

0 Helpful

marsooqa1
Level 1
Level 1
In response to CiscoBrownBelt

‎09-19-2023 03:52 AM

You may find the rule id from SNORT phase output and check for show access-list | include 268441600

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card