FTD NAC L2 Block not working - Page 2

David Rollins · ‎02-23-2024

I have configured a rule in the Default NAC that is supposed to block a Layer 7 protocol application. When I analyze hit counts, it shows the rule has been matched. And when I analyze connection events, the traffic is showing as dropped. This is the 2nd rule in the access policy.

The rule is configured as such:

Rule_Name src_zone "any" dst_zone "any" src_net "any" dst_net "any" applications "chatGPT" src_port "any" dst_port "any" Action "Block"

ChatGPT is just the example application I'm using for this discussion.

Here is the issue. When I looked at the command line, this rule has an advanced permit ip any any. The reason it was brought to my attention, was that we were trying to configure a Layer 3 deny rule, (rule 33) and the permit ip any any was allowing the traffic.

How is this possible? Can anyone provide insight or resolution?
The default action for the Default NAC is "Block all traffic".

tvotna · ‎02-26-2024

Above is completely true, but the reason why packet-tracer doesn't match correct rule is more simple: you specify only L3/L4 parameters when you run it, hence all L7 ACP rule fields are ignored and packet-tracer matches 1st matching ACP rule. For troubleshooting use "capture ... trace ..." instead and then "show capture <name> packet-number <n> trace". This tool shares infrastructure with packet-tracer, so you'll see familiar output with Snort verdict integrated (for the packet when AppID recognizes application protocol). The ability to see Snort verdict was implemented in the infrastructure in FTD 6.2.