Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1543
Views
5
Helpful
4
Replies

Firepower ACP Oddness

Go to solution
dm2020
Level 1
Level 1

‎12-11-2018 02:39 AM - edited ‎03-12-2019 07:09 AM

Hi All,

 

I have an issue with a small Firepower deployment. I have a single FTD 2210 appliance that has a simple ACP applied that permits outbound ICMP, DNS and HTTPs traffic using application rules. See attached screenshot.

 

This works ok, however, if I attempt to telnet test to an external IP address on port 3001, which is not permitted by any rules, the firewall-engine-debug appears to match against the 'Permit ICMP' rule with a verdict of pass. I was hoping to see this as a deny so its clear that its being denied by the firewall. Is this a known issue?

 

10.1.11.13-62684 - 6.6.6.6-3001 6 Packet: TCP, SYN, seq 3358167107
10.1.11.13-62684 - 6.6.6.6-3001 6 AppID: service unknown (0), application unknown (0)
10.1.11.13-62684 > 6.6.6.6-3001 6 AS 1 I 1 Starting with minimum 2, 'Permit ICMP', and SrcZone first with zones 2 -> 1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
10.1.11.13-62684 > 6.6.6.6-3001 6 AS 1 I 1 pending rule order 2, 'Permit ICMP', AppID
10.1.11.13-62684 > 6.6.6.6-3001 6 Firewall: pending rule-matching, 'Permit ICMP', pending AppID
10.1.11.13-62684 > 6.6.6.6-3001 6 Snort id 1, NAP id 1, IPS id 0, Verdict PASS

 

Thanks

Labels:
Preview file
75 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dm2020

‎12-11-2018 01:25 PM

Hi,
We have similar kind of issue of TOR connection and opened a ticket with cisco. As per TAC, to identify applications FTD will allow few packets to pass through to look the application payload to detect the application. I think that's why in debug it shows allow. Better do create rule with ports that will be works perfect.

 

Hope This Helps

Abheesh

View solution in original post

4 Replies 4

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni

‎12-11-2018 10:07 AM

Hi,
Do a packet tracer from FTD and see if that is allowing or not. As per your acp rules ICMP,HTTPS & DNS are only allowed.
One more suggestion instead of application enter the destination port and do a firewall engine debug, i think that will get block.

HTH
Abheesh
0 Helpful

Go to solution
dm2020
Level 1
Level 1
In response to Abheesh Kumar

‎12-11-2018 12:22 PM

Hi,

 

I've run a packet trace and it does show it as blocked - Drop-reason: (acl-drop) Flow is denied by configured rule

 

Also if I change the rules to use ports instead of application then the firewall engine debug does report the traffic as denied by firewall and not pass which is what I would expect. Is there any reason for the application inspection to behave like this? Should I be using ports instead of applications in my rules?

 

Thank you

0 Helpful

Go to solution
Abheesh Kumar
VIP Alumni
VIP Alumni
In response to dm2020

‎12-11-2018 01:25 PM

Hi,
We have similar kind of issue of TOR connection and opened a ticket with cisco. As per TAC, to identify applications FTD will allow few packets to pass through to look the application payload to detect the application. I think that's why in debug it shows allow. Better do create rule with ports that will be works perfect.

 

Hope This Helps

Abheesh

Go to solution
dm2020
Level 1
Level 1
In response to Abheesh Kumar

‎12-12-2018 01:04 AM

Ok that makes sense. Thank you for the reply, very helpful

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card