Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3440
Views
0
Helpful
5
Replies

Enable stun protocol inspection - FTD2110

TJ01
Level 1
Level 1

‎11-24-2021 03:30 AM

Hi ALL 

Any option to enable stun protocol inspection for specific rules only in FTD2110

If not do we need to enable it in global policy ... what are supportive commands to enable this protocol

 

This is what we see atm 

> show service-policy inspect stun

 Globaly policy:

   Service-policy: global_policy

    Class-map: inspection_default

0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-24-2021 05:02 AM - edited ‎11-24-2021 05:04 AM

Since STUN protocol inspection is a legacy ALG (application layer gateway) inspection type and not exposed directly in the FMC (or FDM) GUI, we need to use a Flexconfig object to modify it. That can be done by creating a custom Flexconfig object and assigning it in your Flexconfig policy.

FMC Flexconfig Object for STUNFMC Flexconfig Object for STUN

Flexconfig PolicyFlexconfig Policy

0 Helpful

TJ01
Level 1
Level 1
In response to Marvin Rhoads

‎11-24-2021 08:05 PM - edited ‎11-24-2021 08:06 PM

Thanks Marvin for your quick response on this ...  What other options to enable this protocol if we using Firepower Device Manager instead - Sorry I am new to cisco ftd so still unable to find the option to use this protocol ... this is the only object type I got in FDM

2rs.PNG

Only able to see stun option to use in application filter but access rule is allowing for all application .. 

1sr.PNG



 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to TJ01

‎11-25-2021 11:24 PM - edited ‎11-25-2021 11:25 PM

In FDM, we setup FlexConfig via the following screens:

FDM Home PageFDM Home Page

FDM FlexConfig ObjectFDM FlexConfig Object

Once you have created the object (similar to how it is done in FMC), specify it in your FlexConfig policy and deploy.

0 Helpful

TJ01
Level 1
Level 1
In response to Marvin Rhoads

‎11-29-2021 08:06 PM

Thanks Marvin,  Is it applicable to specify interfaces and/or good practice for enabling an inspection of protocol ?

 

As we are defining the inspection under the global policy which is enabled on all interfaces ... will adding the interfaces limit this inspection on specified interfaces ?

 

 
 

Flexobject.PNG

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to TJ01

‎11-30-2021 04:35 AM

We normally use a global policy. It is applied globally with "service-policy global_policy global".

If you only want to apply the inspection to a given interface (or interfaces) then you would define it in a differently named policy-map and apply it with a separate service-policy.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card