Solved: Re: FMC/FTD

benolyndav · ‎04-16-2021

Hi

We have FMC 100 and FTD 2130, when I do a packet tracer on the device its saying traffic is allowed but I cant find the ACL on the ACP that would allow this traffic, its almost as though there is an hidden ACL which is allowing certain traffic which it shouldnt be.

any ideas how to find this.

Thanks

Rob Ingram · ‎04-16-2021

@benolyndav When you run the command it prompts you to specify the protocol, source IP, source port, destination IP and destination port (you don't need to specify all options). If you filter on at least specific source IP address of your test machine, then this should have minimal impact.

Yes, CTRL + C stops the command.

View solution in original post

Rob Ingram · ‎04-16-2021

@benolyndav

When you run packet-tracer from the CLI, the section "Type: ACCESS-LIST" indicates the ACP. You can confirm which rule by looking for "L5 RULE: xxxxxx" or L7 RULE: xxxxxx". Where xxxxx is the name of your ACP rule.

If you still cannot determine which rule traffic is hitting please provide the output of the packet-tracer.

You could also use the command "system support firewall-engine-debug" and generate some real-time traffic, this would also indicate which ACP rule was matched.

HTH

benolyndav · ‎04-16-2021

Hi Rob

Some info from PT here, 445 is only allowed on one rule and when I do the PT the rule its hitting isnt the rule I have 445 on.??

> packet-tracer input INSIDE tcp X.X.X.X 23567 X.X.X.X 445 detailed

Phase: 3

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip ifc INSIDE any any rule-id 268438963

access-list CSM_FW_ACL_ remark rule-id 268438963: ACCESS POLICY: TREAL-POLICY - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268438963: L7 RULE: URL Block #1

Additional Information:

This packet will be sent to snort for additional processing where a verdict will be reached

Forward Flow based lookup yields rule:

in id=0xffc13dc070, priority=12, domain=permit, deny=false

hits=8345875, user_data=0xff824a3400, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=INSIDE

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0

input_ifc=any, output_ifc=any

Result:

input-interface: INSIDE

input-status: up

input-line-status: up

output-interface: OUTSIDE

output-status: up

output-line-status: up

Action: allow

Rob Ingram · ‎04-16-2021

Hi @benolyndav

I guess you are using URL filtering is some rules?

This is possibly what is happening... "If early traffic matches all other rule conditions but identification is incomplete, the system allows the packet to pass and the connection to be established (or the TLS/SSL handshake to complete). After the system completes its identification, the system applies the appropriate rule action to the remaining session traffic."

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/url_filtering.html

Best Practice is to position URL rules after all other rules that must be hit. So move your specific rule for 445 above the rule that has been matched in the packet-tracer output above.

HTH

benolyndav · ‎04-16-2021

Hi Rob

Thanks ill read the doc

Does the below affect the performance of live devices at all? should these commands be used out of hours, and is it just a ctrl +c to stop the debug

(You could also use the command "system support firewall-engine-debug" and generate some real-time traffic, this would also indicate which ACP rule was matched.)

Rob Ingram · ‎04-16-2021

@benolyndav When you run the command it prompts you to specify the protocol, source IP, source port, destination IP and destination port (you don't need to specify all options). If you filter on at least specific source IP address of your test machine, then this should have minimal impact.

Yes, CTRL + C stops the command.