Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1258
Views
1
Helpful
2
Replies

Firepower Packet Tracer not advising which policy entry is being hit

Go to solution
James Hardman
Level 1
Level 1

‎03-09-2023 07:36 AM - edited ‎03-09-2023 07:52 AM

FMC version - Version 7.2.2 (build 54)

FTD version - 7.0.4

I currently have an Access-Control policy 'DC-Inbound-FTD-AC' which has a list of Mandatory entries at the top to block Bad Networks, Custom URLs and Blocked URLs (based on URL categories) with the interface and zones all being set to 'Any'.  The first first entry in this list is:

Name - Blocked Countries Source
Source Zone - Any
Destination Zone - Any 
Source Networks - Any
Source Networks - Bad_Source_Destination_Countries (23 entries)
Destination Networks - Any
(All over options set to Any)
Action - Block

After the Mandatory entries we have our normal Default entries specifying zone to zone entries.

 

We have an allow rule specifically for 10.0.0.10 to go to 20.54.23.166 (made these IPs up but everything else is the same) on port 22 with the zones specified with SSL inspection and NAT is also applied.  If I run a packet tracer on the FMC against the device, the ACL it says it hits is:

ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268449118
access-list CSM_FW_ACL_ remark rule-id 268449118: ACCESS POLICY: DC-Inbound-FTD-ACP - Mandatory access-list CSM_FW_ACL_ remark rule-id 268449118: L7 RULE: Blocked Countries Source

Additional Information
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x15513ffb7510, priority=12, domain=permit, deny=false
hits=66954065, user_data=0x15510da23a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

It never references the actual rule that allows the traffic out to the internet.  I can see it hitting the correct NAT policy and SNORT allows it (Result = PASS) but all ACL sections in the packet tracer reference this generic 'Blocked Countries Source' entry and not the actual rule it is using.  

How do I see which policy entry is allowing the traffic/being hit?  I've tried running this via CLI, including:

system support diagnostic-cli
enable
*
packet-tracer input Inbound_120 tcp 10.0.0.10 65000 20.54.23.166 22

But still get the same result.  Even if I try port 80 or even ICMP it always shows the access-list in the packet tracer as Blocked Countries Source.

 

Kind regards,

 

Jimmy

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tvotna
Spotlight
Spotlight

‎03-10-2023 07:35 AM

Packet-trace runs inside Lina which knows nothing about country codes, URLs and other such features. So it shows correct result because this rule matches. For real traffic few packets will be sent to Snort before the Snort returns verdict to Lina with the rule-id. In this sense packet-tracer is useless for configuration like this. You can use either "capture /trace" Lina tool and then find the packet in the capture with the Snort verdict, or use Sourcefire "system support trace" / "system support firewall-engine-debug":

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

View solution in original post

2 Replies 2

Go to solution
tvotna
Spotlight
Spotlight

‎03-10-2023 07:35 AM

Packet-trace runs inside Lina which knows nothing about country codes, URLs and other such features. So it shows correct result because this rule matches. For real traffic few packets will be sent to Snort before the Snort returns verdict to Lina with the rule-id. In this sense packet-tracer is useless for configuration like this. You can use either "capture /trace" Lina tool and then find the packet in the capture with the Snort verdict, or use Sourcefire "system support trace" / "system support firewall-engine-debug":

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/214577-firepower-data-path-troubleshooting-phas.html

Go to solution
James Hardman
Level 1
Level 1
In response to tvotna

‎03-10-2023 08:15 AM

You have just made my weekend. Thank you!

Following the guide in the link you provided, I was able to simulate a packet and then see the CLI output matching the correct ACL entry!
I'll read more about this later.

Thank you again !

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card