Solved: Re: Cisco FTD send RST when dropped by Snort / IPS

brettp · ‎01-30-2023

Hello,

I understand that in Access Control rules on the FTD, there are "block" and "block with reset" actions, but how does one configure Snort / IPS to send a RST if it's dropping something (traffic that was set to "allow" in the ACP?) Furthermore, if possible, is it or can it be so granular as to allow for the specifying interfaces, zones, or the like?

Long story short, without all of the details, we are doing some testing... When moving a test malware file from zone to another, that is allowed by the ACP, the IPS is dropping the traffic as expected. The lack of a RST is causing the internal process that is moving the file to hang until it times out. I would like to send a RST in this case, but not for something being inspected from the internet. Is it possible?

Thanks!

MHM Cisco World · ‎02-01-2023

https://rayka-co.com/lesson/firepower-malware-and-file-policy/
check the reset connection in this above link

View solution in original post

Marius Gunnerud · ‎02-01-2023

If you create a Malware & File policy you can select drop with an option to reset. The Intrusion policy however does not have an option to reset when traffic is blocked.

This is a screenshot from the Malware & File policy when adding a rule:

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

brettp · ‎02-01-2023

Does anyone have any insight on this? I can find no documentation. Obviously, if it was an access rule dropping the traffic, one could use "Drop with reset" but this is being dropped by IPS. I can find no information or documentation online about sending a RST. I would imagine is has to be possible somehow? Thanks!

MHM Cisco World · ‎02-01-2023

the Snort not drop traffic is send verdict to Lina, Lina will drop the traffic.

brettp · ‎02-01-2023

Thanks for the reply. I understand that LINA ultimately drops the packet , but how can I configure the FTD to send a RST when traffic is getting dropped due to a IPS / intrusion policy rule… and not an access control rule?

MHM Cisco World · ‎02-01-2023

https://rayka-co.com/lesson/firepower-malware-and-file-policy/
check the reset connection in this above link

Marius Gunnerud · ‎02-01-2023

If you create a Malware & File policy you can select drop with an option to reset. The Intrusion policy however does not have an option to reset when traffic is blocked.

This is a screenshot from the Malware & File policy when adding a rule:

--
Please remember to select a correct answer and rate helpful posts

brettp · ‎02-02-2023

Thank you both for the information. Wow, that is interesting that a RST can not be sent if something is dropped due to intrusion rules. Correct me if I am wrong, but with the File & Malware Policy, I can only block filetypes with the Threat license. In order for me to do any type of dynamic file/malware inspection, I would need a Malware license, correct?

For instance… I am doing tests with a simple EICAR text file. If I were using a File & Malware policy, with the threat license only, I would only be able to block .txt for instance. It is unaware that the file is “malicious.” In order for me to scan the .txt and have the FTD determine it is malicious (not taking into account the IPS rules… strictly File & Malware policy,) I would need the Malware license?

Thanks!

MHM Cisco World · ‎02-02-2023

I think your are correct
https://www.cisco.com/c/en/us/td/docs/security/firepower/601/configuration/guide/fpmc-config-guide-v601/Licensing_the_Firepower_System.html

Marius Gunnerud · ‎02-02-2023

Your understanding is correct.

--
Please remember to select a correct answer and rate helpful posts