Solved: FTD/F Help confirming rule(s) or policies are allowing traffic in - Page 2

CiscoBrownBelt · ‎04-06-2023

Take a look at packet-tracer below. I have scrubbed some IPs and names for simplicity and privacy. Are you able to confirm based on the output which rule is allowing the 1.1.1.1 traffic to 2.2.2.2 in through the Outside interface? Basically trying to clean up rules as too many zero hit rules and ANY type rules.

> packet-tracer input Outside tcp 1.1.1.1 8305 2.2.2.2443 detailed

Phase: 1

Type: CAPTURE

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a70ce150, priority=13, domain=capture, deny=false

hits=64174149, user_data=0x5575ed3ae0, cs_id=0x0, l3_type=0x0

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0000.0000.0000

input_ifc=Outside, output_ifc=any

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: ALLOW

Config:

Implicit Rule

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a7011190, priority=1, domain=permit, deny=false

hits=2663353715, user_data=0x0, cs_id=0x0, l3_type=0x8

src mac=0000.0000.0000, mask=0000.0000.0000

dst mac=0000.0000.0000, mask=0100.0000.0000

input_ifc=Outside, output_ifc=any

Phase: 3

Type: INPUT-ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 4

Type: ECMP load balancing

Subtype:

Result: ALLOW

Config:

Additional Information:

ECMP load balancing

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 5

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268441600

access-list CSM_FW_ACL_ remark rule-id 268441600: ACCESS POLICY: EntEdge-FTD2140-Local-Sensor_ACP - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268441600: L7 RULE: MyRule test

Additional Information:

This packet will be sent to snort for additional processing where a verdict will be reached

Forward Flow based lookup yields rule:

in id=0xffb4046d30, priority=12, domain=permit, deny=false

hits=19477110, user_data=0x5586141700, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 6

Type: CONN-SETTINGS

Subtype:

Result: ALLOW

Config:

class-map class-default

match any

policy-map global_policy

class class-default

set connection advanced-options UM_STATIC_TCP_MAP

service-policy global_policy global

Additional Information:

Forward Flow based lookup yields rule:

in id=0xffc05e2e00, priority=7, domain=conn-set, deny=false

hits=5016061, user_data=0xffc05e0b40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 7

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false

hits=29139365, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 8

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0x55a7017410, priority=0, domain=inspect-ip-options, deny=true

hits=22780334, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 9

Type: VPN

Subtype: ipsec-tunnel-flow

Result: ALLOW

Config:

Additional Information:

Forward Flow based lookup yields rule:

in id=0xffc007d910, priority=13, domain=ipsec-tunnel-flow, deny=true

hits=4590121, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 10

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x55a2434a70, priority=0, domain=nat-per-session, deny=false

hits=29139367, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=any, output_ifc=any

Phase: 11

Type: IP-OPTIONS

Subtype:

Result: ALLOW

Config:

Additional Information:

Reverse Flow based lookup yields rule:

in id=0x55a7017410, priority=0, domain=inspect-ip-options, deny=true

hits=22780336, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none

input_ifc=Outside(vrfid:0), output_ifc=any

Phase: 12

Type: FLOW-CREATION

Subtype:

Result: ALLOW

Config:

Additional Information:

New flow created with id 25829692, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_tcp_proxy

snp_fp_snort

snp_fp_tcp_proxy

snp_fp_translate

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_tcp_normalizer

snp_fp_translate

snp_fp_tcp_proxy

snp_fp_snort

snp_fp_tcp_proxy

snp_fp_tcp_normalizer

snp_fp_adjacency

snp_fp_fragment

snp_fp_tracer_drop

snp_ifc_stat

Phase: 13

Type: EXTERNAL-INSPECT

Subtype:

Result: ALLOW

Config:

Additional Information:

Application: 'SNORT Inspect'

Phase: 14

Type: SNORT

Subtype:

Result: ALLOW

Config:

Additional Information:

Snort Trace:

Firewall: starting AC rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 113, icmpCode 187

Packet: TCP, SYN, seq 1720790805

Session: new snort session

AppID: service unknown (0), application unknown (0)

Firewall: starting AC rule matching, zone 4 -> 4, geo 0 -> 0, vlan 0, sgt 0, src sgt type 0, dest_sgt_tag 0, dest sgt type 0, user 9999997, icmpType 0, icmpCode 0

Firewall: pending rule-matching, id 268441600, pending URL

Snort id 11, NAP id 1, IPS id 0, Verdict PASS

Snort Verdict: (pass-packet) allow this packet

Phase: 15

Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP

Subtype: Resolve Preferred Egress interface

Result: ALLOW

Config:

Additional Information:

Found next-hop 3.3.3.3 using egress ifc Outside(vrfid:0)

Phase: 16

Type: ADJACENCY-LOOKUP

Subtype: Resolve Nexthop IP address to MAC

Result: ALLOW

Config:

Additional Information:

Found adjacency entry for Next-hop 3.3.3.3 on interface Outside

Adjacency :Active

MAC address 2416.9daa.57bf hits 1359893055 reference 273

Result:

input-interface: Outside(vrfid:0)

input-status: up

input-line-status: up

output-interface: Outside(vrfid:0)

output-status: up

output-line-status: up

Action: allow

MHM Cisco World · ‎04-12-2023

each phase in traffic flow in SNORT is check by specific command.
there is no one magic command cover all phases in traffic flow.
but you can use
Snort Verdict: allow/deny to go directly to which SNORT phase drop the traffic

Marius Gunnerud · ‎04-11-2023

If you are not finding the rule in the ACP, have you checked the prefilter rule associated with the ACP? it might be matching there.

--
Please remember to select a correct answer and rate helpful posts

CiscoBrownBelt · ‎04-11-2023

Yes I have. I believe Gustavo has answered what is happening. What i have been trying to do is actually confirm the rule as pre-filers and ACP always don't show hits when trying modify/optimize rules.