08-04-2020 06:09 AM
How can I see DNS Security Intelligence event for the blocked resolution of a fqdn at CLI of FTD?
Test setup:
I have a static DNS blacklist used for blocking domain well-known-domain.com, let's say cisco.com. Inside hosts trying to browse to cisco.com are being block, as expected.
However, when I use Packet Tracer and for destination fqdn I put cisco.com, Packet Tracer's verdict is to allow the traffic, because Packet-Tracer resolves the fqdn to an IP address. Since the ip address of cisco.com is not blocked in my configuration, Packet-Tracer allows the traffic.
To catch Packet tracer resolving, I thought I could use: support firewall-engine-debug to see Packet tracer resolves, but it doesn't show name lookup for cisco.com.
Then, I wanted to use capture at FTD CLI, but that command uses ip address for source/destination, so I can't put cisco.com.
Can someone please tell me where at CLI I can see DNS Security intelligence events.
Thanks.
Solved! Go to Solution.
08-04-2020 10:10 AM
08-04-2020 06:50 AM
It is normally the Analysis > Connection Events and the system support diagnostic-cli that you would refer to, to view this. You can also setup a capture and export the pcap file and view it in Wireshark.
08-04-2020 10:10 AM
08-04-2020 12:16 PM
Thanks Mohammed, the system support trace did the trick and showed the SI DNS block and which policy blocked it.
Much appreciated. Thank you.
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Packet: UDP
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Session: new snort session
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 AppID: service DNS (617), application unknown (0)
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 SI: DNS security intelligence rule, 'NGFW-DNS-Blacklist', drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort id 0, NAP id 3, IPS id 0, Verdict BLOCK
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 ===> Blocked by SI
Verdict reason is sent to DAQ
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide