cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
299
Views
0
Helpful
3
Replies

FTD Packet matching criteria? L7 vs L3/4

PacketSpartan
Level 1
Level 1

Bit of a long one. Hopefully someone can provide some clarification, I am trying to get my head around how rules are matched in ACP. (I  want to understand it for this scenario) 

We have 2 FTD rules in our ACP. 

Rule 1 : Allow source 10.0.0.1 towards 8.8.8.8 for the App DNS

Rule 30: Allow source 10.0.0.1 Dst: 8.8.8.8  for Port 53 (TCP/UDP)

- Which Rule will it match? Rule 1 or rule 30 first?  I am trying to understand if L3/l4 rules have precendence in the ACP. ( I understand ACP is evaluated top down).

-  When documents/resouces  refers to Lina l3/l4 being matched first, are they reffering to the prefilter policy?  . 

Having moved over from ASA+SFrs to full FTDs, i want to make sure i understand the packet flow. 

 

 

 

CCNA R&S
1 Accepted Solution

Accepted Solutions

The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet.  Normally this will match correctly and in this case the first rule will be used.  In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.

So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet.  I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.

When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?

Yes and no.  you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection.  When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT.  So, the answer depends on the context of the document when referring to L3 and L4 match.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

what you want is clear explain in this doc. 

this doc. take http as example, in your case is dns but it same principle 

MHM

The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet.  Normally this will match correctly and in this case the first rule will be used.  In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.

So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet.  I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.

When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?

Yes and no.  you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection.  When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT.  So, the answer depends on the context of the document when referring to L3 and L4 match.

--
Please remember to select a correct answer and rate helpful posts

Thanks Marius, Appreciate the breakdown This is what i was looking for,  

CCNA R&S
Review Cisco Networking for a $25 gift card