09-02-2024 05:34 AM
Bit of a long one. Hopefully someone can provide some clarification, I am trying to get my head around how rules are matched in ACP. (I want to understand it for this scenario)
We have 2 FTD rules in our ACP.
Rule 1 : Allow source 10.0.0.1 towards 8.8.8.8 for the App DNS
Rule 30: Allow source 10.0.0.1 Dst: 8.8.8.8 for Port 53 (TCP/UDP)
- Which Rule will it match? Rule 1 or rule 30 first? I am trying to understand if L3/l4 rules have precendence in the ACP. ( I understand ACP is evaluated top down).
- When documents/resouces refers to Lina l3/l4 being matched first, are they reffering to the prefilter policy? .
Having moved over from ASA+SFrs to full FTDs, i want to make sure i understand the packet flow.
Solved! Go to Solution.
09-02-2024 03:43 PM
The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet. Normally this will match correctly and in this case the first rule will be used. In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.
So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet. I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.
When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?
Yes and no. you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection. When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT. So, the answer depends on the context of the document when referring to L3 and L4 match.
09-02-2024 06:41 AM
what you want is clear explain in this doc.
this doc. take http as example, in your case is dns but it same principle
MHM
09-02-2024 03:43 PM
The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet. Normally this will match correctly and in this case the first rule will be used. In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.
So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet. I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.
When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?
Yes and no. you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection. When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT. So, the answer depends on the context of the document when referring to L3 and L4 match.
09-02-2024 11:11 PM
Thanks Marius, Appreciate the breakdown This is what i was looking for,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide