cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
951
Views
1
Helpful
4
Replies

FTD blocks traffic but resolution port trought telnet is successfull

ggomez
Level 1
Level 1

Hi.

I dont know what is happen with this behavior.

I have a public service exposed to internet from my DMZ, and when i ran a Nmap to see what ports is open, i see RDP and that is not allowed on my company.

Doing some test, created a rule on top of everithing else that is block RDP from any source to any dest, so i decided to ran a "system support firewall-engine-debug" and try if the RDP actually works.

The results show me that traffic is currently blocked "action block". The event viewer show me the same block. And the RDP test dont wok. So thats fine.

The issue is that a network scan shows me that RDP is open, and when i try with telnet resolution port (telnet x.x.x.x 3389) the telnet seems to be open.

PD: I tryed to change the action "block" to "block with rest" but didnt work.

 

FMC&FTD Ver: 6.6.5

Someone can explain this behavior?

4 Replies 4

tvotna
Spotlight
Spotlight

In general, this is expected provided that you rely on application names in the access control policy. FTD may need few packets to pass before application is recognized, so 1st SYN is passed through. Firewall-engine-debug should show you what happens with each packet in case of RDP.

 

 

can you add rule in prefilter also and check. 
the port must show close not open
MHM

Are you by chance matching on RDP application in the ACP rule?  If yes then this would explain the behaviour you are seeing as the FTD allows the packets through (first 3 packets) while SNORT makes a verdict on if it should be blocked or not.

--
Please remember to select a correct answer and rate helpful posts

are this issue solved ?
MHM

Review Cisco Networking for a $25 gift card