cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
773
Views
5
Helpful
8
Replies

Cisco FTD send RST when dropped by Snort / IPS

brettp
Level 1
Level 1

Hello,

I understand that in Access Control rules on the FTD, there are "block" and "block with reset" actions, but how does one configure Snort / IPS to send a RST if it's dropping something (traffic that was set to "allow" in the ACP?) Furthermore, if possible, is it or can it be so granular as to allow for the specifying interfaces, zones, or the like?

Long story short, without all of the details, we are doing some testing... When moving a test malware file from zone to another, that is allowed by the ACP, the IPS is dropping the traffic as expected. The lack of a RST is causing the internal process that is moving the file to hang until it times out. I would like to send a RST in this case, but not for something being inspected from the internet. Is it possible?

Thanks!

2 Accepted Solutions

Accepted Solutions

If you create a Malware & File policy you can select drop with an option to reset.  The Intrusion policy however does not have an option to reset when traffic is blocked.

This is a screenshot from the Malware & File policy when adding a rule:

Screenshot 2023-02-01 at 23.10.00.png

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

8 Replies 8

brettp
Level 1
Level 1

Does anyone have any insight on this? I can find no documentation. Obviously, if it was an access rule dropping the traffic, one could use "Drop with reset" but this is being dropped by IPS. I can find no information or documentation online about sending a RST. I would imagine is has to be possible somehow? Thanks!

the Snort not drop traffic is send verdict to Lina, Lina will drop the traffic. 

Thanks for the reply. I understand that LINA ultimately drops the packet , but how can I configure the FTD to send a RST when traffic is getting dropped due to a IPS / intrusion policy rule… and not an access control rule?

https://rayka-co.com/lesson/firepower-malware-and-file-policy/
check the reset connection in this above link 

If you create a Malware & File policy you can select drop with an option to reset.  The Intrusion policy however does not have an option to reset when traffic is blocked.

This is a screenshot from the Malware & File policy when adding a rule:

Screenshot 2023-02-01 at 23.10.00.png

--
Please remember to select a correct answer and rate helpful posts

Thank you both for the information. Wow, that is interesting that a RST can not be sent if something is dropped due to intrusion rules. Correct me if I am wrong, but with the File & Malware Policy, I can only block filetypes with the Threat license. In order for me to do any type of dynamic file/malware inspection, I would need a Malware license, correct?

For instance… I am doing tests with a simple EICAR text file. If I were using a File & Malware policy, with the threat license only, I would only be able to block .txt for instance. It is unaware that the file is “malicious.” In order for me to scan the .txt and have the FTD determine it is malicious (not taking into account the IPS rules… strictly File & Malware policy,) I would need the Malware license?

Thanks!

Your understanding is correct.

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: