03-21-2017 11:08 PM - edited 03-12-2019 06:20 AM
Hello
Though traffic gets blocked we still see SYN-SYN/AVK-ACK go through the Firewall but data did not seem to pass after that
we tried to put a block/block with reset rule at the bottom and to have default action as block all traffic
We took all Application configuration out of access-policy rules
This means that though everything is blocked TCP reconaissance is still possible from the internet
Does anyone have an idea of how to solve this ?
regards
Gudmundur
03-24-2017 06:59 AM
This should only happen if you use Applications within your access control policy. For example if you used an application rule to block file transfer it would be matched initially permitting 3-way handshake to check if the application matches. I would assume you are using FTD correct? If thats the case login via SSH and check which rule matches using packet-tracer.
03-26-2017 10:33 AM
This happens only when you have a rule, with layer 7 matching on at least one of the App ID or URL which is postponed until the necessary information is gathered.
As the necessary information is on the payload of the TCP flow, definitely this information can't be known until the payload comes in. But you can't check the payload if you don't allow the frames to pass, until you get your necessary data which can be used for decision. If you didn't pass the 3WHS and/or pre decision segments, TCP would not continue, as per it's design.
If you ssh into the sensor and issue: "system support firewall-engine-debug", you'll observe the behavior as described above.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide