FMC Packet Capture Results

JoshfromPHX · ‎10-21-2022

Hello I am trying to understand the report but I am not 100% sure how to read everything in Bold and underlined:

I am testing and find this packet gets into the network but I do not want it to. So have run a packet capture on the FMC and get this report and I am not sure how to read it. Any information on this would be helpful.

Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434446

access-list CSM_FW_ACL_ remark rule-id 268434446: ACCESS POLICY: RB_Access_Policy - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268434446: L7 RULE: Geo-Locations_Block_Egress

Additional Information:

This packet will be sent to snort for additional processing where a verdict will be reached

manabans · ‎10-21-2022

With the below access list, the traffic is getting allowed through the box due to permit ip any any,
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434446

Under the Access Control Policy > Rule with the name 'Geo-Locations_Block_Egress', check what filters are added to allow the traffic.
Amend this rule based on the requirement to allow or block certain traffic.

Karsten Iwen · ‎10-22-2022

Important to note: An "advanced permit" does not mean the packet is allowed. It just means that it is not possible to decide on a permit/deny at this point and the packet is sent to Snort to make this decision.