03-31-2017 07:00 AM - edited 03-12-2019 02:09 AM
when I issued a packet-tracer from my antispam to Internet on SMTP dest port, I see this results :
Packet: TCP, SYN, seq 811220630
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone 1 -> 1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: block rule, id 268434432, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 2, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
I can't find anyware to allow or white list this stream
06-26-2017 12:21 AM
I am running into the same problem. Did you find the solution for this?
03-15-2018 08:01 AM
I'm also encounter same issue , do you resolve this problem ?
And another question is how to tune Snort Verdict blacklisted time?
03-15-2018 09:18 AM
In such a case the destination address is in the Firepower blacklist - either the one downloaded automatically as part of the Cisco Security Intelligence (SI) feed or a local custom blacklist.
04-21-2018 04:39 PM
i have the same issue when failover to primary node. i am using FTD running version 6.2.3 -83. secondary node work normally.
04-22-2018 05:06 AM
Are the appliances managed locally (ASDM) or remotely(FMC). In either case you must make sure that the policies are applied identically to both nodes.
07-07-2019 07:57 PM
07-08-2019 02:04 AM
Are FTD 1 and FTD 2 in an HA pair?
We need some more details to ascertain possible causes of your problem.
07-08-2019 03:13 PM
07-08-2019 08:38 PM
If there aren't in an HA pair or cluster, how can they have the same configurations? Can you backup a step and tell us how you have them setup? Is this a lab?
07-08-2019 08:59 PM
I have 2x (2130) FTDs managed by FMC and all in production. Initially, we only needed 1 FTD and over the time things grew and added new FTD. Previously deployed FTD running version 220.127.116.11 and recently added FTD running version 6.2.1. Im unable to upgrade 6.2.1 to 18.104.22.168 therefore can not cluster/HA (TAC case logged).
Actually, I wasn't able to set up DMVPN/IPSec tunnels between our 2 HUBs which are behind each FTD. Tried running packet-tracer and seen this SNORT drop, now Im here and seeking advice on "Blocked or blacklisted by the firewall preprocessor". Mind you to establish tunnels between both HUBs traffic traverses thru both FTD
Question arises, should I wait to upgrade FTD 6.2.1 to 22.214.171.124 and then cluster/HA or should look for reason for DROP?
07-08-2019 10:06 PM - edited 07-08-2019 10:10 PM
To pass DMVPN/IPsec tunnels through the Firepower devices, you should allow the traffic in a prefilter rule - not an access control policy rule. You will need to allow:
ESP/AH (IP proto 50/51) depending on configuration.
...to your hub address. The action should be "Fastpath".
07-09-2019 06:33 PM