Hello!
I am doing a new install, and have hit problems in the first few minutes.
ASA5516X 9.8(1) with FirePower services (all licensed) 6.2.0-362
There is only 1 "permit all" rule with "Trust all traffic" as the default action. The idea behind it is that we wanted to just monitor the traffic in the first phase of the install, and gradually build the rule base.
What happens is that FP is blocking mostly DNS traffic to public DNS servers, even the most legitimate requests like google.com, and to make matters worse the blocked traffic is random and there is no way to determine why. Real time eventing just shows "Intrusion block". Another oddity is that the same traffic is sometimes blocked and sometimes allowed, all within a few minutes (screenshots attached).
What am I missing?