01-30-2024 07:28 AM
FTD & FMC 7.3
Inside my prefilter policy, I have a few prefilter rules and no tunnel rules, but my default action under tunnel traffic is to analyze all tunnel traffic. The CLI shows there are hits for this traffic, but I'm assuming if there are no rules in my ACP, this traffic would be dropped. How can I prove that's the case? The logging icon next to the default action is grayed out and won't let me log anything, which makes me think you cannot log anything unless you have a tunnel rule. If I grab the rule ID off the CLI and filter for this under unified events, nothing gets returned.
Thanks
01-30-2024 08:58 AM
FTD
Outer header check by prefilter (you can fastpath it)
Inner header check by ACP
Inner header check by Snort
It seem to me that inner header is allow by ACP.
MHM
01-30-2024 12:20 PM
Is there away to verify the packets are being dropped?
01-30-2024 01:05 PM
sorry I dont get last reply,
we talking about tunnel traffic, which tunnel we talk about GRE or other tunnel ?
thanks
MHM
01-30-2024 01:40 PM
maybe this will be helpful. The CLI shows the following rules are being allowed. I don't have any rules like this configured in my fastpath and so they must be defaults. I've read a few other posts on this topic but don't believe I saw any definitive answers. I'm trying to determine if this type of traffic is actually getting through or if its only a few packets before the IPS blocks it. Either way how can I determine this?
01-30-2024 02:02 PM
Prefilter tunnel allow traffic and as I mention the outer IP header is allow by prefilter.
I See GRE so it not encrypt can you check the inner IP header if you can add ACP rule drop inner ip head (drop with log) and you will see how ACP filter tunnel traffic.
Note:- Ypu can use capture to see inner ip header
MHM
01-30-2024 03:03 PM
You could run system support trace and enable firewall-engine-debug in the CLI. This should show all actions taken by both LINA and SNORT.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide