Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
147
Views
0
Helpful
2
Replies

FTD 7.4 ACP rule matching: host vs object-group

TSOL
Level 1
Level 1

‎12-17-2025 10:30 PM

Hello Experts,

I have a question regarding the behavior of Access Control Policy (ACP) on Cisco Secure Firewall Threat Defense (FTD) 7.4.

Environment:
- FTD 7.4
- Managed by FDM
- IPv4 only
- Access Control Policy in use

Configuration:
1. Rule #1 (Top rule)
- Action: Allow
- Source Network: Single host object (e.g. host_test2)
- Destination: any
- Other conditions: any

2. Rule #2 (Lower rule)
- Action: Block
- Source Network: Object-group (TEST-Group)
- TEST-Group includes host_test2
- Destination: IPv4-any
- Other conditions: any

Observed behavior:
When traffic is sent from host_test2, it is blocked by Rule #2 instead of being allowed by the top Allow rule (Rule #1).

Connection Events confirm that the Block rule using the object-group is the matched rule.

Verified:
- Rule order is correct (Allow rule is above Block rule)
- This is not caused by NAT or asymmetric routing

Official documentation reviewed:
The following Cisco document explains that ACP evaluation is performed by the Snort engine, but I could not find a clear specification about precedence between a single host object and an object-group.

- Clarify the Firepower Threat Defense Access Control Architecture
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

Questions:
1. In FTD 7.4 ACP matching, are there cases where a rule using an object-group
that includes a specific host matches traffic instead of a higher rule
using that single host?

2. Is this type of configuration — using a single host and an object-group
containing that host in separate ACP rules — something that should be
avoided as a best practice?

If there is any official documentation or Cisco TAC guidance regarding this behavior, I would appreciate it.

Thank you in advance.

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎12-17-2025 11:19 PM 

When traffic is sent from host_test2

What kind of traffic and what is the destination? TEST-Group includes host_test2  (so return traffic you are blocking) - what is the intention of this testing?

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni

‎12-18-2025 02:53 AM

Hi,

   Assuming both rule are configured within same section (Mandatory or Default), and given the rules are configured as you've mentioned, this sounds like a bug (did you somehow reorder the rules, like your first rule was initially the second one and you've changed order afterwards?), or a misconfiguration, maybe your host_test2 object is not configured properly.

    Can you delete the ACP rules, create new objects and objects-groups and ensure you're matching correctly on what you need to match, create the ACP rules again and test again? If still not working, can you get to FTD CLI and paste the output of command "show access-list CSM_FW_ACL_" and mention what is the IPv4 address of the host's traffic that should match on first rule?

Thanks,

Cristian. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card