cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

562
Views
0
Helpful
3
Replies
Highlighted

How does the FTD appliance handle return traffic for an ACP?

Hello,

 

I hope I have the correct board for this question.  I have what I hope to be a simple question.  My question is how does the FTD appliances, such as the 2130, handle return traffic for a given rule for an access control policy?  For instance, if I create a rule to allow a source security zone & network/host to a destination security zone & network/host on destination TCP ports 80 & 443, how will the appliance handle the traffic that comes back in response to the initial request?  Will it be blocked, allowed, or will I need to specify the ephemeral range in my rule?

 

Thanks.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Rising star

Re: How does the FTD appliance handle return traffic for an ACP?

Hi,

This will get allowed because the source port is the random port 49152 and the session will remain in the state table and it will get allowed with L7 inspection if you enable inspection.

 

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 REPLIES 3
Highlighted
VIP Rising star

Re: How does the FTD appliance handle return traffic for an ACP?

Hi,

As you know FTD has two engines, LINA & SNORT.

212321-clarify-the-firepower-threat-defense-acc-00.png

  • If a packet enters the ingress interface and it is handled by the LINA engine
  • If it is required by the FTD policy the packet is inspected by the Snort engine
  • The Snort engine returns a verdict (whitelist or blacklist) for the packet
  • The LINA engine drops or forwards the packet based on Snort’s verdict

Below diagram will show you the complete packet flow in FTD with ACP

212321-clarify-the-firepower-threat-defense-acc-03.png

As per your question if a traffic initiated from source to a particular destination FTD keeps the session in session table and match the return traffic as per the table.

 

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

Highlighted

Re: How does the FTD appliance handle return traffic for an ACP?

Hello Abheesh,

 

Thanks for your quick response.  So as long as the originating traffic is held in the session table, the FTD engine will allow the return traffic without any other filtering to take place.  For instance, traffic from zone A on source TCP port 49152 to zone B on destination TCP port 80 will be allowed to return from zone B on source TCP port 80 to zone A on destination TCP port 49152 although I don't have an explicit rule opened to allow any traffic on destination TCP port 49152.  Is that correct?

Highlighted
VIP Rising star

Re: How does the FTD appliance handle return traffic for an ACP?

Hi,

This will get allowed because the source port is the random port 49152 and the session will remain in the state table and it will get allowed with L7 inspection if you enable inspection.

 

Thanks,
Abheesh
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post