Firepower allowing packets through despite block with reset rule

stuart_jones · ‎02-08-2021

Hi all,

While running a packet capture on an access switch for a device (10.1.1.1) I blocked it's internet access on the FTD (4125) as it was trying to reach 50.1.1.1.

I did this by blocking all traffic for 10.1.1.1 through the FTD with a "Block with Reset" to any rule. I also did "clear conn address 10.1.1.1" on the CLI.

This subsequently blocked 10.1.1.1 from getting to the internet. However, there were still packets being received on 10.1.1.1 from 50.1.1.1. Given there is no rule to allow 10.1.1.1 out to 50.1.1.1 I can't understand how packets are getting in.

Do I need to clear all the NAT translations for 10.1.1.1?

Thanks in advance,
Stuart

TJ-20933766 · ‎02-08-2021

1. Blocking the FMC from getting to the Internet is going to have a negative impact on getting updates that are critical to the proper operation of your firewalls (no geolocation updates, no SNORT rule updates, etc).

2. Are you certain that you put the block rule at the top of your rules and that you have the direction of the traffic, IP addresses, etc correct in the block rule?

3. Are there any pre-filter rules that would permit the traffic and thus bypass your access control rule? If all else fails, you could apply the drop rule in the pre-filter

4. After making changes, have you verified that you've deployed the changes to the firewalls?

Marvin Rhoads · ‎02-08-2021

Is there an inbound ACL that might allow the traffic?

What does packet-tracer tell you if you use if to test the logic?

Oliver Kaiser · ‎02-09-2021

Goto FTD CLI and execute "packet-tracer input <your-src-interface> tcp 10.1.1.1 1000 50.1.1.1 <dst-port>" and post the result. There'S probably a rule that permits traffic... or an application/url rule that causes three-way-handshake to suceed (otherwise it cannot be evaluated) which could result in you seeing outgoing traffic briefly