I have seen this.
I am assuming that there is a deny rule in the opposite direction?
if you add a permit rule in the opposite direction is the traffic allowed?
If you run a system support firewall-engine-debug on the FTD what do you see there when you generate traffic?
As I mentioned, I have seen this in two cases. First case using active FTP even with inspect ftp in place. Snort process was not opening a pin-hole for return traffic. Options to get around this was to either use passive FTP or send the traffic to "fast path".
Second time I saw something similar was when going to a website using a URL. http://www.website.com was blocked but http://website.com was allowed (this is even though we do not have URL filtering license). This was being dropped by security intelligence spam filter. We added the domain to the global whitelist but was still being dropped. we then removed the spam filter, deployed, www.website.com was now working, added spam filter back, deployed www.website.com was still working.
My suggestion is to check system support firewall-engine-debug between the client and the server IPs. it might be that this is being dropped in security intelligence.
--
Please remember to select a correct answer and rate helpful posts