Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2065
Views
0
Helpful
1
Replies

FTD user and url rules not working

Chess Norris
Level 4
Level 4

‎10-19-2018 12:43 AM - edited ‎02-21-2020 08:22 AM

Hello,

I have a strange issue with a FTD running latest 6.2.3 code. When using rules that requires inspection like user or url rules, the FTD will match on those rules even if it shouldn't be a match. For example I am using an Identify policy and create rules based on users and groups from Active Directory. If I create a rule that only should match on users in group A, it will match on all users no matter which group they belong to. In fact that rule will match even if the user doesn't belong to a user group at all. Same with url rules. It will match on any url rules no matter which categories I choose.  Anyone have a clue on why this happen and how I can troubleshoot those inspection rules? Is it possible to see hitcounts from snort rules? 

0 Helpful
1 Reply 1

Ajay Saini
Level 7
Level 7

‎10-22-2018 02:28 AM

Hello,

 

How do you know that a specific rule is being hit for users not called in that rule config? Do you see events with the source ip/username being seen for a specific group in the 'table view of connection events'.

 

Can you show a snippet of the rule you are talking about. Ideally, if there is no match, the default rule is hit, maybe thats where the traffic is going.

 

HTH

AJ

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card