cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2464
Views
1
Helpful
5
Replies

Check if an IP address would be blocked in FMC

ryders1
Level 1
Level 1

Does anyone know if it would be possible to enter an IP somewhere in FMC and see how it would react to it? I am wondering if it is possible to simulate a user accessing an IP address or address range. I have been given a list of IPs from a vendor that we are supposed to whitelist. However, if we already allow access I don't want to make an access policy rule to allow them. Specifically I would like to enter an address like 8.8.8.8 and see if firepower would block or allow that address and then see why it was blocked or not.

4 Accepted Solutions

Accepted Solutions

@ryders1 you can run packet-tracer to simulate the traffic flow to the destination, this will tell you if it is allowed or blocked.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

 

View solution in original post

Packet-tracer you can use but if packet is drop in Snort you need more than packet-tracer. 

View solution in original post

Marvin Rhoads
Hall of Fame
Hall of Fame

First, be familiar enough with your firewall policy to be able to answer this question affirmatively for most use cases.

Second, packet-tracer can indeed confirm the rule set behavior. While it might not pick up latent issues where Snort (Security Intelligence or black lists) would drop the packets, if your vendor's required addresses are on one of those naughty lists you have a bigger problem than your firewall.

View solution in original post

5 Replies 5

@ryders1 you can run packet-tracer to simulate the traffic flow to the destination, this will tell you if it is allowed or blocked.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

 

Packet-tracer you can use but if packet is drop in Snort you need more than packet-tracer. 

Marvin Rhoads
Hall of Fame
Hall of Fame

First, be familiar enough with your firewall policy to be able to answer this question affirmatively for most use cases.

Second, packet-tracer can indeed confirm the rule set behavior. While it might not pick up latent issues where Snort (Security Intelligence or black lists) would drop the packets, if your vendor's required addresses are on one of those naughty lists you have a bigger problem than your firewall.

ryders1
Level 1
Level 1

Thanks everyone. That is what I was looking for.

Review Cisco Networking for a $25 gift card