cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2065
Views
0
Helpful
1
Replies

FTD user and url rules not working

Chess Norris
Level 4
Level 4

Hello,

I have a strange issue with a FTD running latest 6.2.3 code. When using rules that requires inspection like user or url rules, the FTD will match on those rules even if it shouldn't be a match. For example I am using an Identify policy and create rules based on users and groups from Active Directory. If I create a rule that only should match on users in group A, it will match on all users no matter which group they belong to. In fact that rule will match even if the user doesn't belong to a user group at all. Same with url rules. It will match on any url rules no matter which categories I choose.  Anyone have a clue on why this happen and how I can troubleshoot those inspection rules? Is it possible to see hitcounts from snort rules? 

1 Reply 1

Ajay Saini
Level 7
Level 7

Hello,

 

How do you know that a specific rule is being hit for users not called in that rule config? Do you see events with the source ip/username being seen for a specific group in the 'table view of connection events'.

 

Can you show a snippet of the rule you are talking about. Ideally, if there is no match, the default rule is hit, maybe thats where the traffic is going.

 

HTH

AJ

 

 

Review Cisco Networking for a $25 gift card