Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
321
Views
0
Helpful
3
Replies

FTD Packet matching criteria? L7 vs L3/4

Go to solution
PacketSpartan
Level 1
Level 1

‎09-02-2024 05:34 AM

Bit of a long one. Hopefully someone can provide some clarification, I am trying to get my head around how rules are matched in ACP. (I  want to understand it for this scenario) 

We have 2 FTD rules in our ACP. 

Rule 1 : Allow source 10.0.0.1 towards 8.8.8.8 for the App DNS

Rule 30: Allow source 10.0.0.1 Dst: 8.8.8.8  for Port 53 (TCP/UDP)

- Which Rule will it match? Rule 1 or rule 30 first?  I am trying to understand if L3/l4 rules have precendence in the ACP. ( I understand ACP is evaluated top down).

-  When documents/resouces  refers to Lina l3/l4 being matched first, are they reffering to the prefilter policy?  . 

Having moved over from ASA+SFrs to full FTDs, i want to make sure i understand the packet flow. 

 

 

 

CCNA R&S
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎09-02-2024 03:43 PM

The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet.  Normally this will match correctly and in this case the first rule will be used.  In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.

So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet.  I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.

When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?

Yes and no.  you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection.  When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT.  So, the answer depends on the context of the document when referring to L3 and L4 match.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
MHM Cisco World
VIP
VIP

‎09-02-2024 06:41 AM

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

what you want is clear explain in this doc. 

this doc. take http as example, in your case is dns but it same principle 

MHM

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎09-02-2024 03:43 PM

The answer depends on how the FTD classifies the App DNS based on what it finds in the header of the packet.  Normally this will match correctly and in this case the first rule will be used.  In the cases where the FTD does not recognize or match on the header for App DNS, then there will be no match on the first rule but as long as the destination port is either tcp/udp 53 then second rule will be matched.

So in summary, whether or not the first rule is matched depends on what the FTD is looking for in the header and if that is matched in the App DNS packet.  I have seen rules work for a long time and then there is a new update which causes the FTD to not categorize the packet correctly and it stops matching.

When documents/resources refers to Lina l3/l4 being matched first, are they referring to the prefilter policy?

Yes and no.  you can match on L3 and L4 in ACP, but if you are matching on them in ACP they will almost always be sent to SNORT anyway for security intelligence inspection and in some cases for regular SNORT / deep packet inspection.  When prefilter is configured, that traffic in the prefilter rules will never be sent to SNORT.  So, the answer depends on the context of the document when referring to L3 and L4 match.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
PacketSpartan
Level 1
Level 1
In response to Marius Gunnerud

‎09-02-2024 11:11 PM

Thanks Marius, Appreciate the breakdown This is what i was looking for,  

CCNA R&S
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card