Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1723
Views
1
Helpful
5
Replies

Check if an IP address would be blocked in FMC

Go to solution
ryders1
Level 1
Level 1

‎05-05-2023 06:48 AM

Does anyone know if it would be possible to enter an IP somewhere in FMC and see how it would react to it? I am wondering if it is possible to simulate a user accessing an IP address or address range. I have been given a list of IPs from a vendor that we are supposed to whitelist. However, if we already allow access I don't want to make an access policy rule to allow them. Specifically I would like to enter an address like 8.8.8.8 and see if firepower would block or allow that address and then see why it was blocked or not.

4 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-05-2023 06:55 AM - edited ‎05-05-2023 06:56 AM

@ryders1 you can run packet-tracer to simulate the traffic flow to the destination, this will tell you if it is allowed or blocked.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

 

View solution in original post

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-05-2023 07:20 AM

Packet-tracer you can use but if packet is drop in Snort you need more than packet-tracer. 

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-05-2023 08:02 AM

First, be familiar enough with your firewall policy to be able to answer this question affirmatively for most use cases.

Second, packet-tracer can indeed confirm the rule set behavior. While it might not pick up latent issues where Snort (Security Intelligence or black lists) would drop the packets, if your vendor's required addresses are on one of those naughty lists you have a bigger problem than your firewall.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎05-05-2023 06:55 AM - edited ‎05-05-2023 06:56 AM

@ryders1 you can run packet-tracer to simulate the traffic flow to the destination, this will tell you if it is allowed or blocked.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-05-2023 07:20 AM

Packet-tracer you can use but if packet is drop in Snort you need more than packet-tracer. 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-05-2023 08:02 AM

First, be familiar enough with your firewall policy to be able to answer this question affirmatively for most use cases.

Second, packet-tracer can indeed confirm the rule set behavior. While it might not pick up latent issues where Snort (Security Intelligence or black lists) would drop the packets, if your vendor's required addresses are on one of those naughty lists you have a bigger problem than your firewall.

0 Helpful

Go to solution
ryders1
Level 1
Level 1

‎05-05-2023 10:55 AM

Thanks everyone. That is what I was looking for.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card