03-31-2017 07:00 AM - edited 03-12-2019 02:09 AM
when I issued a packet-tracer from my antispam to Internet on SMTP dest port, I see this results :
Packet: TCP, SYN, seq 811220630
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone 1 -> 1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: block rule, id 268434432, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
I can't find anyware to allow or white list this stream
06-26-2017 12:21 AM
I am running into the same problem. Did you find the solution for this?
03-15-2018 08:01 AM
I'm also encounter same issue , do you resolve this problem ?
And another question is how to tune Snort Verdict blacklisted time?
03-15-2018 09:18 AM
In such a case the destination address is in the Firepower blacklist - either the one downloaded automatically as part of the Cisco Security Intelligence (SI) feed or a local custom blacklist.
04-21-2018 04:39 PM
i have the same issue when failover to primary node. i am using FTD running version 6.2.3 -83. secondary node work normally.
04-22-2018 05:06 AM
Are the appliances managed locally (ASDM) or remotely(FMC). In either case you must make sure that the policies are applied identically to both nodes.
07-07-2019 07:57 PM
07-08-2019 02:04 AM
Are FTD 1 and FTD 2 in an HA pair?
We need some more details to ascertain possible causes of your problem.
07-08-2019 03:13 PM
07-08-2019 08:38 PM
If there aren't in an HA pair or cluster, how can they have the same configurations? Can you backup a step and tell us how you have them setup? Is this a lab?
07-08-2019 08:59 PM
I have 2x (2130) FTDs managed by FMC and all in production. Initially, we only needed 1 FTD and over the time things grew and added new FTD. Previously deployed FTD running version 22.214.171.124 and recently added FTD running version 6.2.1. Im unable to upgrade 6.2.1 to 126.96.36.199 therefore can not cluster/HA (TAC case logged).
Actually, I wasn't able to set up DMVPN/IPSec tunnels between our 2 HUBs which are behind each FTD. Tried running packet-tracer and seen this SNORT drop, now Im here and seeking advice on "Blocked or blacklisted by the firewall preprocessor". Mind you to establish tunnels between both HUBs traffic traverses thru both FTD
Question arises, should I wait to upgrade FTD 6.2.1 to 188.8.131.52 and then cluster/HA or should look for reason for DROP?
07-08-2019 10:06 PM - edited 07-08-2019 10:10 PM
To pass DMVPN/IPsec tunnels through the Firepower devices, you should allow the traffic in a prefilter rule - not an access control policy rule. You will need to allow:
ESP/AH (IP proto 50/51) depending on configuration.
...to your hub address. The action should be "Fastpath".
07-09-2019 06:33 PM
07-09-2019 07:48 PM
Yes, that's correct - only prefilter it with Fastpath action. Since the traffic is IPsec encapsulated and coming from known endpoints, none of the NGIPS processes (Snort, SI, Malware detection etc.) can add any value so prefilter will just Fastpath the DMVPN traffic to the post-processing stages (ALG, egress interface selection etc.).
04-22-2018 10:26 PM
i was the same issue but cisco tag help me find the reason
your output contain the blocking line id
Firewall: block rule, id 268434432, drop
in your situation it is 268434432
you must go to firepower applianca cli and connect to FTD
if promt is "ASB-HO-FTD-A# " connect to FTD
ASB-HO-FTD-A# connect ftd
then go to expert mode by typeng next commang
do the next linux command ( 1ac0cb9a-0cd2-11e8-8c50-8f0e1cebbe73 part is different for each appliance )
if you have problem with doing privious step then
- type "cat /var/sf/detection_engines/"
- press tab button
- append "ngfw.rules"
after this you will see all ACL and ID of each ACE
find the one from packet tracer output " 268434432 "
probably you must have permit statement for traffic before this point.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: