02-06-2024 10:42 AM - edited 02-06-2024 10:43 AM
Hi.
I dont know what is happen with this behavior.
I have a public service exposed to internet from my DMZ, and when i ran a Nmap to see what ports is open, i see RDP and that is not allowed on my company.
Doing some test, created a rule on top of everithing else that is block RDP from any source to any dest, so i decided to ran a "system support firewall-engine-debug" and try if the RDP actually works.
The results show me that traffic is currently blocked "action block". The event viewer show me the same block. And the RDP test dont wok. So thats fine.
The issue is that a network scan shows me that RDP is open, and when i try with telnet resolution port (telnet x.x.x.x 3389) the telnet seems to be open.
PD: I tryed to change the action "block" to "block with rest" but didnt work.
FMC&FTD Ver: 6.6.5
Someone can explain this behavior?
02-06-2024 11:19 AM
In general, this is expected provided that you rely on application names in the access control policy. FTD may need few packets to pass before application is recognized, so 1st SYN is passed through. Firewall-engine-debug should show you what happens with each packet in case of RDP.
02-08-2024 04:33 AM
can you add rule in prefilter also and check.
the port must show close not open
MHM
02-08-2024 04:56 AM
Are you by chance matching on RDP application in the ACP rule? If yes then this would explain the behaviour you are seeing as the FTD allows the packets through (first 3 packets) while SNORT makes a verdict on if it should be blocked or not.
02-15-2024 06:36 AM
are this issue solved ?
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide