Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2983
Views
10
Helpful
3
Replies

DNS Security intelligence block - how to see at CLI on FTD?

Go to solution
cpaquet
Level 1
Level 1

‎08-04-2020 06:09 AM

How can I see DNS Security Intelligence event for the blocked resolution of a fqdn at CLI of FTD?

 

Test setup:

I have a static DNS blacklist used for blocking domain well-known-domain.com, let's say cisco.com.  Inside hosts trying to browse to cisco.com are being block, as expected.

 

However, when I use Packet Tracer and for destination fqdn I put cisco.com, Packet Tracer's verdict is to allow the traffic, because Packet-Tracer resolves the fqdn to an IP address.  Since the ip address of cisco.com is not blocked in my configuration, Packet-Tracer allows the traffic. 

To catch Packet tracer resolving, I thought I could use: support firewall-engine-debug to see Packet tracer resolves, but it doesn't show name lookup for cisco.com. 

 

Then, I wanted to use capture at FTD CLI, but that command uses ip address for source/destination, so I can't put cisco.com.

 

Can someone please tell me where at CLI I can see DNS Security intelligence events.

 

Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-04-2020 10:10 AM

Hi, try to use support trace command with firewall debug enable turned on.
This should show the results as this command will show you snort inspection
as well.

**** please remember to rate useful posts

View solution in original post

3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎08-04-2020 06:50 AM

It is normally the Analysis > Connection Events and the system support diagnostic-cli that you would refer to, to view this.  You can also setup a capture and export the pcap file and view it in Wireshark.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎08-04-2020 10:10 AM

Hi, try to use support trace command with firewall debug enable turned on.
This should show the results as this command will show you snort inspection
as well.

**** please remember to rate useful posts

Go to solution
cpaquet
Level 1
Level 1
In response to Mohammed al Baqari

‎08-04-2020 12:16 PM

Thanks Mohammed, the system support trace did the trick and showed the SI DNS block and which policy blocked it.

Much appreciated.  Thank you.

 

198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Packet: UDP
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Session: new snort session
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 AppID: service DNS (617), application unknown (0)
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 SI: DNS security intelligence rule, 'NGFW-DNS-Blacklist', drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort id 0, NAP id 3, IPS id 0, Verdict BLOCK
198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 ===> Blocked by SI
Verdict reason is sent to DAQ

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card