10-21-2022 01:09 PM - edited 10-21-2022 01:10 PM
Hello I am trying to understand the report but I am not 100% sure how to read everything in Bold and underlined:
I am testing and find this packet gets into the network but I do not want it to. So have run a packet capture on the FMC and get this report and I am not sure how to read it. Any information on this would be helpful.
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434446
access-list CSM_FW_ACL_ remark rule-id 268434446: ACCESS POLICY: RB_Access_Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434446: L7 RULE: Geo-Locations_Block_Egress
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
10-21-2022 06:23 PM
With the below access list, the traffic is getting allowed through the box due to permit ip any any,
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434446
Under the Access Control Policy > Rule with the name 'Geo-Locations_Block_Egress', check what filters are added to allow the traffic.
Amend this rule based on the requirement to allow or block certain traffic.
10-22-2022 12:51 AM
Important to note: An "advanced permit" does not mean the packet is allowed. It just means that it is not possible to decide on a permit/deny at this point and the packet is sent to Snort to make this decision.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide