Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1721
Views
0
Helpful
2
Replies

Denied Packets from FTD gets logged in second firewall

stsag_080067084
Level 1
Level 1

‎04-29-2020 01:02 AM

Hi All

I need clarification on the following.

For our Internet Access we have two firewalls in line as follows.

"Internet Router"---"FTD2110"---"Second FW"----"Internal-Lans

On FTD our ACP policy Inbound rules "permits" specific destination IPs and ports per IP with the ACP default Action:Block All traffic (last Rule match action).

Per ACP rules IPS is enable with drop inline action and also "Intrusion Policy used before Access Control rule is determined"on the advance tab enabled.

Incoming Internet traffic that is not matched to any specific permit rules, gets blocked by the default last rule action , and we can see logs in the FMC Connection Event viewer.

BUT we can also see logs for the blocked packets in the second firewall (Also getting drop due to security policy on the second FW).

Note: Our Inbound ACP permit rules match traffic on IP and Port, we do not use Application ID' for identification.

How is it possible dropped/blocked packets from FTD to reach the second FW ?

 

Thanks in advance.

0 Helpful
2 Replies 2

Abheesh Kumar
VIP Alumni
VIP Alumni

‎04-30-2020 01:39 AM

Hi,

As you said and you're not using Application filter then you should not see the logs in Second Firewall. Did you check the blocked traffic events time on both the firewall, Is that that the same connection time...??

Is this affects all the connections (Blocked connections) or from a specific IP only. 

0 Helpful

stsag_080067084
Level 1
Level 1
In response to Abheesh Kumar

‎04-30-2020 03:20 AM

Hi  Abheesh Kumar

Thanks for your response.

Dropped/blocked traffic logs on both firewalls are not exactly synchronized (Time on both FW is synchronized with NTP).

It seems that some packages went through the FTD.

Blocked traffic match rule :

275
Outside_Inbound_Rule#206
 Outside_Zone
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Any
Block with reset
 
 

 

Unable to determine if this is the case with all blocked traffic.


 Found document https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc11  and in the note states "In order for the Snort engine to determine the application it has to inspect a few packets (usually 3-10 which depends on the application decoder). Thus a few packets are allowed through the FTD and they make it to the destination. The allowed packets are still subject to the Intrusion Policy check based on the Access Policy > Advanced >  'Intrusion Policy used before Access Control rule is determined' option."

 

The above note applies for L7 rules. What is the definition for a L7 rule in FTD ? Applies for Rules with application identification or for rules with Intrusion Policy also ?

 

Kind regards  

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card