Solved: FTD/F Help confirming rule(s) or policies are allowing traffic in

CiscoBrownBelt · ‎04-06-2023

Take a look at packet-tracer below. I have scrubbed some IPs and names for simplicity and privacy. Are you able to confirm based on the output which rule is allowing the 1.1.1.1 traffic to 2.2.2.2 in through the Outside interface? Basically trying to clean up rules as too many zero hit rules and ANY type rules.

> packet-tracer input Outside tcp 1.1.1.1 8305 2.2.2.2443 detailed

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a70ce150, priority=13, domain=capture, deny=false

hits=64174149, user_data=0x5575ed3ae0, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=Outside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a7011190, priority=1, domain=permit, deny=false

hits=2663353715, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=Outside, output_ifc=any

Phase: 3

Type: INPUT-ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 4

Type: ECMP load balancing

Subtype:

Result: ALLOW

Config:

Additional Information:

ECMP load balancing

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: EntEdge-FTD2140-Local-Sensor_ACP - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: MyRule test

Additional Information:

This packet will be sent to snort for additional processing where a verdict will be reached

Forward Flow based lookup yields rule:

in id=0xffb4046d30, priority=12, domain=permit, deny=false

hits=19477110, user_data=0x5586141700, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 6

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection advanced-options UM_STATIC_TCP_MAP

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xffc05e2e00, priority=7, domain=conn-set, deny=false

hits=5016061, user_data=0xffc05e0b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false

hits=29139365, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a7017410, priority=0, domain=inspect-ip-options, deny=true

hits=22780334, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xffc007d910, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=4590121, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 10

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false

hits=29139367, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x55a7017410, priority=0, domain=inspect-ip-options, deny=true

hits=22780336, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 25829692, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_tcp_proxy

snp_fp_snort

snp_fp_tcp_proxy

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_tcp_proxy

snp_fp_snort

snp_fp_tcp_proxy

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 13

Type: EXTERNAL-INSPECT

Subtype:

Result: ALLOW

Config:

Additional Information:

Application: 'SNORT Inspect'

Phase: 14

Type: SNORT

Subtype:

Result: ALLOW

Config:

Additional Information:

Snort Trace:

Firewall: starting AC rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 113, icmpCode 187

Packet: TCP, SYN, seq 1720790805

Session: new snort session

AppID: service unknown (0), application unknown (0)

Firewall: starting AC rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0

Firewall: pending rule-matching, id 268441600, pending URL

Snort id 11, NAP id 1, IPS id 0, Verdict PASS

Snort Verdict: (pass-packet) allow this packet

Phase: 15

Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP

Subtype: Resolve Preferred Egress interface

Result: ALLOW

Config:

Additional Information:

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 16

Type: ADJACENCY-LOOKUP

Subtype: Resolve Nexthop IP address to MAC

Result: ALLOW

Config:

Additional Information:

Found adjacency entry for Next-hop 3.3.3.3 on interface Outside

Adjacency :Active

MAC address 2416.9daa.57bf hits 1359893055 reference 273

Result:

input-interface: Outside(vrfid:0)

input-status: up

input-line-status: up

output-interface: Outside(vrfid:0)

output-status: up

output-line-status: up

Action: allow

Gustavo Medina · ‎04-10-2023

If you have rules with features handled by Snort like geolocation, AVC, URL, etc then you will always see the rule in LINA deployed as any any which is what you are referring to in the packet-tracer. In snort phase you are seeing the rule that the packet is hitting:

Phase: 16
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 203067496
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 4 -> 3, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268441600, pending URL
Snort id 0, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

You can always use the system support trace command with firewall-engine-debug with live traffic and it will tell you the exact rule that you are hitting.

View solution in original post

Marvin Rhoads · ‎04-06-2023

It appears to be this one:

access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: EntEdge-FTD2140-Local-Sensor_ACP - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: MyRule test

CiscoBrownBelt · ‎04-07-2023

Right but I can't find the ip any any rule when looking in FMC (this is concerning)

The MyRuleTest is a block statement.

When looking in FMC, the EntEdge-FTD2140-Local-Sensor_ACP is teh rules for the device that list dozens or individual rules for the FTD so does not pin point which rule allows the traffic.

Rob Ingram · ‎04-06-2023

@CiscoBrownBelt the input and output interfaces are both "outside" interface, is that expected? Did you put the correct/real IP address for the destination?

CiscoBrownBelt · ‎04-07-2023

Hi where are you referencing that? Yes I put correct IPs, I entered them different on here for privacy.

Rob Ingram · ‎04-07-2023

@CiscoBrownBelt the end of the packet-tracer output confirms the input and output interface.

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: Outside(vrfid:0)
output-status: up
output-line-status: up
Action: allow

I would have assumed the traffic flow would be from outside to inside. Have you put the destination IP address in packet-tracer as the NAT IP address? Put the real (private) IP address as the destination.

CiscoBrownBelt · ‎04-10-2023

I may have been putting in the public IP as why it shows that (could confirm if I didn't srub the real IPs). Howver, how can I tell which policy is allowing traffic based on Packet-tracer outputs?

MHM Cisco World · ‎04-10-2023

> packet-tracer input Outside tcp 1.1.1.1 8305 2.2.2.2443 detailed

@Rob Ingram mention before' your packet input out and output out'

So that explain the 0.0.0.0 of acl hit in packet tracer.

Make sure you enter correct IP select correct interface.

CiscoBrownBelt · ‎04-10-2023

Ok here is a better trace with proper IPs. I still can't confirm those generic IP ANY rules and/or which policies allow this traffic:

> packet-tracer input Outside tcp 1.1.1.1https 2.2.2.2 https detailed

Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a70ce150, priority=13, domain=capture, deny=false
hits=290061313, user_data=0x5575ed3ae0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=Outside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a7011190, priority=1, domain=permit, deny=false
hits=2776297273, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=Outside, output_ifc=any

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (L_Interface,Outside) source static T-Network T_Private_IP_Space-Network destination static T_GROUP TPUBLIC_GROUP no-proxy-arp
Additional Information:
NAT divert to egress interface L_Interface(vrfid:0)
Untranslate 2.2.2.2/443 to 2.2.2.2/443

Phase: 4
Type: ECMP load balancing
Subtype:
Result: ALLOW
Config:
Additional Information:
ECMP load balancing
Found next-hop 156.70.205.125 using egress ifc Outside(vrfid:0)

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600
access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: Techops-Edge-FTD2140-Local-Sensor_ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: My_test
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffb4046d30, priority=12, domain=permit, deny=false
hits=21050798, user_data=0x5586141700, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 6
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc05e2e00, priority=7, domain=conn-set, deny=false
hits=5306291, user_data=0xffc05e0b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 7
Type: NAT
Subtype:
Result: ALLOW
Config:
nat (L_Interface,Outside) source static L_Interface_Private_IP_Space-Network L_Interface_Private_IP_Space-Network destination static T_-PUBLIC_GROUP T_-PUBLIC_GROUP no-proxy-arp
Additional Information:
Static translate 12.96.87.218/443 to 12.96.87.218/443
Forward Flow based lookup yields rule:
in id=0xffd40724e0, priority=6, domain=nat, deny=false
hits=0, user_data=0xffcc0147e0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=12.96.87.218, mask=255.255.255.255, port=0, tag=any
dst ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=L_Interface(vrfid:0)

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false
hits=30858548, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x55a7017410, priority=0, domain=inspect-ip-options, deny=true
hits=24438236, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 10
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xffc007d910, priority=13, domain=ipsec-tunnel-flow, deny=true
hits=4846606, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 11
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
nat (L_Interface,Outside) source dynamic L_Interface_Private_IP_Space-Network LS4_IP
Additional Information:
Forward Flow based lookup yields rule:
out id=0xffe421c330, priority=6, domain=nat-reverse, deny=false
hits=1485, user_data=0xffe4219f40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=10.10.1.0, mask=255.255.255.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=Outside(vrfid:0), output_ifc=L_Interface(vrfid:0)

Phase: 12
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false
hits=30858550, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

Phase: 13
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x55a745ec00, priority=0, domain=inspect-ip-options, deny=true
hits=9724691, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=L_Interface(vrfid:0), output_ifc=any

Phase: 14
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 27767825, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_tcp_proxy
snp_fp_snort
snp_fp_tcp_proxy
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Phase: 15
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 16
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 203067496
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 4 -> 3, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268441600, pending URL
Snort id 0, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 17
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information:
Found next-hop 2.2.2.2using egress ifc L_Interface(vrfid:0)

Phase: 18
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information:
Found adjacency entry for Next-hop 2.2.2.2on interface L_Interface
Adjacency :Active
MAC address 84f1.4764.bbd6 hits 477 reference 6

Result:
input-interface: Outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: L_Interface(vrfid:0)
output-status: up
output-line-status: up

Rob Ingram · ‎04-10-2023

@CiscoBrownBelt I assume that's the correct output interface now.

It's still matching the same rule as pointed out previously, that's because that rule is "permit ip any any".

access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600
access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: Techops-Edge-FTD2140-Local-Sensor_ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: My_test

That's not something you want to leave like that, you should restrict inbound access via the outside interface and permit only the required traffic.

MHM Cisco World · ‎04-10-2023

Dont worry I will send you detail to acl appear.

MHM Cisco World · ‎04-11-2023

@Gustavo Medina give right answer

Gustavo Medina · ‎04-10-2023

If you have rules with features handled by Snort like geolocation, AVC, URL, etc then you will always see the rule in LINA deployed as any any which is what you are referring to in the packet-tracer. In snort phase you are seeing the rule that the packet is hitting:

Phase: 16
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 203067496
Session: new snort session
AppID: service unknown (0), application unknown (0)
Firewall: starting AC rule matching, zone 4 -> 3, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268441600, pending URL
Snort id 0, NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

You can always use the system support trace command with firewall-engine-debug with live traffic and it will tell you the exact rule that you are hitting.

CiscoBrownBelt · ‎04-12-2023

Is there a way to look at the actual Snort rules within the Snort policy? THe one for the FTD is set to Balanced Security and Connectivity.

Marvin Rhoads · ‎04-12-2023

Like @Gustavo Medina mentioned, "You can always use the system support trace command with firewall-engine-debug with live traffic". That shows your the actual Snort rule hit (if any).

If you just want to see all of the IPS rules in Snort, then look at your IPS policy.