11-12-2024 03:13 AM - edited 11-12-2024 03:18 AM
Hello, community!
I'm using FTD1010 managed by FDM with latest FW 7.4.2-172. I'm getting unexpected behavior with the box, that passes traffic however it should not do so.
I configured 2 rules with logging:
I configured SSL Decryption to match this traffic with logging.
If I do HTTP queries to my custom Web_URL with standard methods (GET, POST, HEAD, ...) I got rule #9 working fine. And if I do same query but mistyped URL I got hit rule #10 which is also fine and expected. Such requests produce correct logs about decryption and rule hit.
Now, if I do same type of queries but with non-standard method none of my rules are hit, the traffic is passed to the server and I got no logging whatsoever. It seems as while the FTD box is trying to determine URL in the session, the session is already ended.
Here is debug logging:
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 New firewall session
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 DAQ returned DST FQDN IDs: 1065 1058
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 9, 'apa_test RD', and dst network, FQDN first with zones 2 -> 5, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 0, payload 0, client 0, misc 0, user 1412
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 pending rule order 9, 'apa_test RD', AppID for URL
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 Deferring trust until a rule is matched
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 flow tcp established event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 service inspector changed event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 wait for decryption event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host changed, bits 0x100
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 app event with client changed, service changed, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0xC
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 decrypting event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 tls update session event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload changed, referred no change, misc no change, url no change, tls host no change, bits 0x10
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 service inspector changed event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 tls update session event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 service inspector changed event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 app event with client no change, service no change, payload changed, referred no change, misc no change, url no change, tls host no change, bits 0x10
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 9, 'apa_test RD', and dst network, FQDN first with zones 2 -> 5, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 1122, payload 0, client 1296, misc 0, user 1412, no url or host, no xff
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 inspection pending, waiting for decrypted-URL, rule order 9, id 268435522
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 tls update session event
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 Deleting Firewall session flags=0x20020a0, logFlags=0x2001
ME 20135 -> s01 443 6 AS=0 ID=1 GR=1-1 Generating an EOF event with rule_id = 0 ruleAction = 0 ruleReason = 0
As we can see FTD were unable to determine nor host, nor url in request. And this is not the case with standard HTTP methods when FTD shows the HOST and URL in debugs.
11-12-2024 04:04 AM
can you share the output of
system support firewall-engine-debug
send it as PM
MHM
11-12-2024 04:22 AM
But quoted text from original post is the output from (I stripped only IP addresses)
system support firewall-engine-debug
11-13-2024 04:51 AM
sorry you share all debug ?
MHM
11-13-2024 06:00 AM
Replied in PM
11-13-2024 10:59 PM
It seems like Snort is stuck in pending state for URL/Host identification for HTTP request with non-standard method and thus it is unable to exclude allow rule 'apa_test RDWeb'. and continue with the 'apa_test' block rule. As a result traffic with the server is not blocked and I can see server response.
To sum up:
Request below blocked by apa_test because ACP URL (s01.local/valid_endpoint):
curl -D - -k -X GET https://s01.local/endpoint1
Request below allowed by apa_test RDWeb:
curl -D - -k -X GET https://s01.local/valid_endpoint
Request below should be blocked but as of now it's allowed and there are no logs about that anywhere:
curl -D - -k -X METHOD1 https://s01.local/endpoint1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide