Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8576
Views
10
Helpful
8
Replies

Cisco Firepower not able to block torrent traffic

Go to solution
iurie.bogdanovici
Level 1
Level 1

‎08-04-2016 02:27 AM - edited ‎03-10-2019 06:39 AM

Hello, I am testing a Cisco ASA 5515-x with Firepower (IPS, AMP, URL Filtering licenses). I have created and applied an Access Control Policy. At the moment traffic at L3 - L4 in our organization is blocked by ASA firewall. With SFR module I want to block Skype, Teamviewer, Torrent and intrusions from Internet.

My IPS policy is applied to Threat Inspection rule that is the last rule in the AC Policy. From what I understand any traffic will be allowed, if it will be accepted by the IPS and AMP policies. The problem is that if I disable rule number 8 (Deny Torrent), then I can download torrent files and I am able to download torrent content using Utorrent application, but i think that this traffic should be dropped by IPS Policy. If I enable rule number 8, torrents file download is prohibited but not all torrent traffic is dropped (some of my torrents in Utorrent continue to download). I thought that IPS policy that is attached to the Threat Inspection rule is going to block all traffic that IPS Policy matches as intrusion traffic. When I check events I see that Inline result for torrent traffic is "dropped". Why I am able to download torrents in Utorrent?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to iurie.bogdanovici

‎08-04-2016 04:54 AM

Hello Team,

IPS and file policies will take part in inspection. In your case , We need to look at the detailed AC policies and intrusion policies configured. Could you please open a TAC request to look at same.

Regards

Jetsy 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee

‎08-04-2016 02:55 AM

Hello Team,

From what I understand correctly it works as expected.If you disable the rule number with Torrent filter , it will not work. What is the IPS base policy that you have?

What are the software versions involved here ?

You should be able to block the torrent application completely without any issues . We need to check the configs under the policies and make sure that the policies are configured correctly. Dont add both application filter and urls on same rules itself.

Regards

Jetsy 

 

0 Helpful

Go to solution
iurie.bogdanovici
Level 1
Level 1
In response to Jetsy Mathew

‎08-04-2016 04:00 AM

I thought that if I apply IPS Policy, then I don't have to create any Access Control Rules to block torrent traffic, because IPS Policy is going to block it.

Preview file
61 KB
0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to iurie.bogdanovici

‎08-04-2016 04:03 AM

Hello Team,

It wont work that way.

You need the access control policy to block the torrent application completely.

Rate and mark correct if the posts helps you 

Regards

Jetsy 

0 Helpful

Go to solution
iurie.bogdanovici
Level 1
Level 1
In response to Jetsy Mathew

‎08-04-2016 04:54 AM

Do you mean that the IPS Policy doesn't play any role in blocking torrent traffic? Is it blocking anything if it is attached to the Threat inspection allow rule in my case?

Cisco documentation says that if I have an allow access control rule and I apply the IPS and File Policies than Firepower module will allow the packet only if it passes IPS and File policies. In my case I thought that if I have the rule at the end that says allow any any and has attached the IPS policy, torrent traffic will not pass through IPS policy and would be dropped.

0 Helpful

Go to solution
Jetsy Mathew
Cisco Employee
Cisco Employee
In response to iurie.bogdanovici

‎08-04-2016 04:54 AM

Hello Team,

IPS and file policies will take part in inspection. In your case , We need to look at the detailed AC policies and intrusion policies configured. Could you please open a TAC request to look at same.

Regards

Jetsy 

0 Helpful

Go to solution
iurie.bogdanovici
Level 1
Level 1

‎08-04-2016 07:26 AM

The problem has been solved. I talked with TAC engineer.

First of all IPS rules are set to block malicious traffic, including torrent malicious traffic, but not all torrent traffic. Creating an Access Control rule to block torrent application will block torrent both clean and malicious.

Second, SFR will block the torrent/file downloading for both encrypted/unencrypted streams when SFR sees the initial connection.
When end client has the download started either from home or over VPN and then plugs the PC to the network - ASA/SFR does not block the torrent traffic.

Even after creating SSL policy If the torrent stream is encrypted and the keys have already been exchanged prior to the connection coming through the SFR module, we have no way to know what the protocol is and in that case the traffic would not be blocked.

Go to solution
MhinaOmbeni32946
Level 1
Level 1
In response to iurie.bogdanovici

‎09-19-2019 11:55 AM - edited ‎09-19-2019 11:57 AM

Need help,, i have access control policy which block torrent, but the torrent is still keep downloading... what could be the issue.. also i have access control policy for IDM... it work fine to block video from youtube but for other website IDM still download video...what could be issue as well ..

0 Helpful

Go to solution
max.schreifels1
Level 1
Level 1
In response to MhinaOmbeni32946

‎09-19-2019 01:37 PM - edited ‎09-19-2019 01:38 PM

I am running into the same problem... running Cisco ASA-5506X sFR code 6.2.3.13 and Torrents are NOT being blocked while using a TCP Block with Reset option configured.. Cisco TAC hasn't been helpful with resolving this either... if anyone has any ideas please advise.

 

My ruleset is very basic.. the weird thing about this is that the traffic is identified correctly by the sFR module as Bittorrent traffic as I can see the traffic in the FMC being sourced from my lab PC, but it would appear that the sFR cannot FULLY stop the traffic flows... This is regardless of how I start the bittorrent traffic flow, I can start the entire flow of the traffic from the source network and the traffic is still allowed to flow.

 

I have a Cisco TAC case open as well, but, so far they haven't been able to help fix the problem.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card