FMC Prefilter-Fastpath error

RWarr100 · ‎10-22-2024

Morning,

I am having an issue with our Fastpath rules, hoping for some advice:

I have added our scanning IP ranges in to Network Objects and then created a prefilter policy to fastpath traffic from or to these addresses.

I'm unsure why but we are still seeing intrusion alerts being generated from these addresses during our periodic scans. As far as I understand the fastpath should prevent the traffic from those IPs from being inspected by the snort engine. Do I need to put it in the ACP as a Trust rule to capture existing connections as well?

Aref Alsouqi · ‎10-22-2024

Did you attach the prefilter policy to you ACP policy? if so, do you see any counters on the "show snort statistics" command on FTD CLISH mode ">"?

RWarr100 · ‎10-23-2024

Yes, it's attached to the ACP. I had a look in the FTDs CLI and I didn't have the option for snort statistics under the "show" command.

Aref Alsouqi · ‎10-23-2024

Please refer to this link for the "show snort statistics" command:

Cisco Secure Firewall Threat Defense Command Reference - show s - sz [Cisco Secure Firewall Threat Defense] - Cisco

RWarr100 · ‎10-24-2024

Thanks, I read that however when I use the show and look at all potential commands there are no snort entries. They are old devices so maybe the OS doesn't support the command?

Aref Alsouqi · ‎10-24-2024

Mmm, not sure. One thing you could try would be to remove that prefilter rule and create it in the ACP with a trust action. The end result would be the same.

MHM Cisco World · ‎10-31-2024

prefilter is bypass Snort but as I understand you config prefilter after traffic pass FTD

this make FTD build conn and hence it bypass any prefilter and make traffic inspect by snort

MHM