Solved: Re: Cisco FTD - "No Rules Active" but active

brettp · ‎12-12-2022

Hello, I'm still getting used to the FTD and have been for the better part of this year. Unfortunately, I have suffered so many things that TAC could not help with because they're in all probability bugs (some of which, very clearly bugs.) I already have two cases open, one of which since August, still with no solution or communication for several weeks. At this point, and I hate to be a downer, I'm sadly losing my faith in the FTD and I don't trust anything I see. I can not find the answer anywhere... Can someone clarify something? When I deploy updated IPS definitions, there are three points under "Intrusion Policy" on the preview page... It looks like this (see screenshot for an actual view from the deploy screen.)

Intrusion Policy

- Intrusion Policy: IPS-Policy-CC (Clearly, this references the policy I manually created.)
- Intrusion Policy: No Rules Active (What is this? We're using FTD/FMC version 7 and inspection mode is set to "prevention.")
- Intrusion Policy: Balanced Security and Connectivity (And clearly, this is the base policy I'm using.)

What is the "Intrusion Policy: No Rules Active" referencing?

Any insight is appreciated! Thanks!

Marvin Rhoads · ‎12-13-2022

Update - look in your ACP advanced settings under Network Analysis and Intrusion Policies. Most likely the default values there call out the "No Rules Active" policy as the "Intrusion Policy used before Access Control rule is determined" and the "Balanced Security and Connectivity" policy as the "Default Network Analysis Policy".

View solution in original post

Marvin Rhoads · ‎12-12-2022

Your original post doesn't have any screen shot attached.

However, Intrusion policy can be uniquely set per rule in your access control policy (ACP). You may have some varying settings there that would cause multiple intrusion policies to be deployed. It is sometimes easiest to see the settings by exporting a report of the ACP (done from the ACP home page - see icon that looks like pages to the far right).

brettp · ‎12-12-2022

Marvin, thank you very much for the reply. Hmm, I attached the screenshot to the post so I am not sure what happened... I've attached it to this reply. So is that what is being referenced by the deploy window -- the various policies being modified? I only have one policy which is applied to every ACP rule with the exception of any deny rules. I just find it strange and confusing for it to say "No rules active." And I assume the 3rd listing is a default policy? Not a reference to base policy in the custom policy I created?

Marvin Rhoads · ‎12-13-2022

Yes, the third one is a default policy. I could see it updating that and the first one. The second one is a bit odd if it is not called out at all in your ACP. Did you check the report I suggested?

Marvin Rhoads · ‎12-13-2022

Update - look in your ACP advanced settings under Network Analysis and Intrusion Policies. Most likely the default values there call out the "No Rules Active" policy as the "Intrusion Policy used before Access Control rule is determined" and the "Balanced Security and Connectivity" policy as the "Default Network Analysis Policy".

brettp · ‎12-13-2022

Thank you again for the reply. I did generate and review the report but didn't see anything out of the ordinary. All of the rules have the correct intrusion policy specified (which every allow rule at the moment.) Perhaps it notes that in the deploy window if there is a deny (with no intrusion policy, of course) or a pre-filter policy with something fast-pathed? In that case, there would be "no rules active." I guess? I really have no idea where that line on the deploy screen is coming from, to be honest.

Marvin Rhoads · ‎12-13-2022

@brettp see my "Update" post. I believe that answers the question.

brettp · ‎12-14-2022

Thank you. Yes, I see that. It's somewhat bizarre, but I guess it's normal!