cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

449
Views
10
Helpful
3
Replies
Highlighted
Beginner

DNS Security intelligence block - how to see at CLI on FTD?

How can I see DNS Security Intelligence event for the blocked resolution of a fqdn at CLI of FTD?

 

Test setup:

I have a static DNS blacklist used for blocking domain well-known-domain.com, let's say cisco.com.  Inside hosts trying to browse to cisco.com are being block, as expected.

 

However, when I use Packet Tracer and for destination fqdn I put cisco.com, Packet Tracer's verdict is to allow the traffic, because Packet-Tracer resolves the fqdn to an IP address.  Since the ip address of cisco.com is not blocked in my configuration, Packet-Tracer allows the traffic. 

To catch Packet tracer resolving, I thought I could use: support firewall-engine-debug to see Packet tracer resolves, but it doesn't show name lookup for cisco.com. 

 

Then, I wanted to use capture at FTD CLI, but that command uses ip address for source/destination, so I can't put cisco.com.

 

Can someone please tell me where at CLI I can see DNS Security intelligence events.

 

Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advisor

Hi, try to use support trace command with firewall debug enable turned on.
This should show the results as this command will show you snort inspection
as well.

**** please remember to rate useful posts

View solution in original post

3 REPLIES 3
Highlighted
VIP Advisor

It is normally the Analysis > Connection Events and the system support diagnostic-cli that you would refer to, to view this.  You can also setup a capture and export the pcap file and view it in Wireshark.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10

--
Please remember to select a correct answer and rate helpful posts
Highlighted
VIP Advisor

Hi, try to use support trace command with firewall debug enable turned on.
This should show the results as this command will show you snort inspection
as well.

**** please remember to rate useful posts

View solution in original post

Highlighted

Thanks Mohammed, the system support trace did the trick and showed the SI DNS block and which policy blocked it.

Much appreciated.  Thank you.

 

198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Packet: UDP
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Session: new snort session
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 AppID: service DNS (617), application unknown (0)
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 SI: DNS security intelligence rule, 'NGFW-DNS-Blacklist', drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort id 0, NAP id 3, IPS id 0, Verdict BLOCK
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 ===> Blocked by SI
Verdict reason is sent to DAQ

Content for Community-Ad