Hello,

Using FTD Version 6.5.0.4 on FPR2110, and managed with FMC.

I am trying to access SNMP in LINA via the inside data interface, and it is being denied.

The sanitized packet capture below shows an output-interface of "NP Identity Ifc", which I understand to be the device itself.  What I am wondering is how do I assign a zone to this "interface" and hence add access for this to my access control policy?  Is this just not possible, or am I missing something here?  I am currently not using the diagnostics interface, and would have to redesign my management access to do so (since it cannot share a network with the data interfaces).  Is my only option the diagnostics interface, or will this work through a data interface?

Thank you,

Paul

The packet capture is as follows:

1: 21:54:19.582077 <IP address of monitoring server>.36579 > <IP address of inside interface>.161: udp 64
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop <IP address of inside interface> using egress ifc identity

Phase: 4
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 5
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000000aab63792ec flow (NA)/NA