03-09-2023 07:36 AM - edited 03-09-2023 07:52 AM
FMC version - Version 7.2.2 (build 54)
FTD version - 7.0.4
I currently have an Access-Control policy 'DC-Inbound-FTD-AC' which has a list of Mandatory entries at the top to block Bad Networks, Custom URLs and Blocked URLs (based on URL categories) with the interface and zones all being set to 'Any'. The first first entry in this list is:
Name - Blocked Countries Source
Source Zone - Any
Destination Zone - Any
Source Networks - Any
Source Networks - Bad_Source_Destination_Countries (23 entries)
Destination Networks - Any
(All over options set to Any)
Action - Block
After the Mandatory entries we have our normal Default entries specifying zone to zone entries.
We have an allow rule specifically for 10.0.0.10 to go to 20.54.23.166 (made these IPs up but everything else is the same) on port 22 with the zones specified with SSL inspection and NAT is also applied. If I run a packet tracer on the FMC against the device, the ACL it says it hits is:
ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268449118
access-list CSM_FW_ACL_ remark rule-id 268449118: ACCESS POLICY: DC-Inbound-FTD-ACP - Mandatory access-list CSM_FW_ACL_ remark rule-id 268449118: L7 RULE: Blocked Countries Source
Additional Information
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0x15513ffb7510, priority=12, domain=permit, deny=false
hits=66954065, user_data=0x15510da23a40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any
It never references the actual rule that allows the traffic out to the internet. I can see it hitting the correct NAT policy and SNORT allows it (Result = PASS) but all ACL sections in the packet tracer reference this generic 'Blocked Countries Source' entry and not the actual rule it is using.
How do I see which policy entry is allowing the traffic/being hit? I've tried running this via CLI, including:
system support diagnostic-cli
enable
*
packet-tracer input Inbound_120 tcp 10.0.0.10 65000 20.54.23.166 22
But still get the same result. Even if I try port 80 or even ICMP it always shows the access-list in the packet tracer as Blocked Countries Source.
Kind regards,
Jimmy
Solved! Go to Solution.
03-10-2023 07:35 AM
Packet-trace runs inside Lina which knows nothing about country codes, URLs and other such features. So it shows correct result because this rule matches. For real traffic few packets will be sent to Snort before the Snort returns verdict to Lina with the rule-id. In this sense packet-tracer is useless for configuration like this. You can use either "capture /trace" Lina tool and then find the packet in the capture with the Snort verdict, or use Sourcefire "system support trace" / "system support firewall-engine-debug":
03-10-2023 07:35 AM
Packet-trace runs inside Lina which knows nothing about country codes, URLs and other such features. So it shows correct result because this rule matches. For real traffic few packets will be sent to Snort before the Snort returns verdict to Lina with the rule-id. In this sense packet-tracer is useless for configuration like this. You can use either "capture /trace" Lina tool and then find the packet in the capture with the Snort verdict, or use Sourcefire "system support trace" / "system support firewall-engine-debug":
03-10-2023 08:15 AM
Following the guide in the link you provided, I was able to simulate a packet and then see the CLI output matching the correct ACL entry!
I'll read more about this later.
Thank you again !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide