08-17-2023 08:17 AM - edited 08-17-2023 08:18 AM
I have a server to which I only allow certain IP's. While reviewing events, I could see traffic from an IP which is not in the allowed list being allowed through but have been unable to determine why it has been allowed.
Below is the output of a packet trace.
FTD-000-01# packet-tracer input outside tcp X.X.X.X 40446 X.X.X.X 443
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 13824 ns
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 11776 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop X.X.X.X using egress ifc DMZ01(vrfid:0)
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 5888 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268467218
access-list CSM_FW_ACL_ remark rule-id 268467218: PREFILTER POLICY: FTD-000-01
access-list CSM_FW_ACL_ remark rule-id 268467218: RULE: DEFAULT TUNNEL ACTION RU LE
Additional Information:
This packet will be sent to snort for additional processing where a verdict wil l be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 5888 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 5888 ns
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 5888 ns
Config:
Additional Information:
Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 26112 ns
Config:
Additional Information:
Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 38400 ns
Config:
Additional Information:
Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 19456 ns
Config:
Additional Information:
New flow created with id 127495114, packet dispatched to next module
Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 20480 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 12
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 18398 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)
Phase: 13
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 253556 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268480521
Additional Information:
Starting rule matching, zone 11 -> 7, geo 0 -> 0, vlan 0, src sgt: 0, src sgt ty pe: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268468302 - Audit; 268480521 - Allow
Phase: 14
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5632 ns
Config:
Additional Information:
Found next-hop X.X.X.X using egress ifc DMZ01(vrfid:0)
Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found adjacency entry for Next-hop X.X.X.X on interface DMZ01
Adjacency :Active
MAC address 0050.56bc.e1b9 hits 79753 reference 5
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: DMZ01(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 434770 ns
08-17-2023 08:23 AM
You need to check how the rule base, if the permit IP any any on the top rule then it allowed even though after that line denied.
check your ACP rules in FTD / ASA ?
08-17-2023 08:35 AM
I don't see any permit IP any any rules. Is there another way to narrow it down?
08-17-2023 01:51 PM
The packet-tracer output looks to be from an FTD imaged device, if you are able to send test packets, you could set up "system support firewall-engine-debug" or "system support trace" if you want to include snort actions. Once you have gone through the prompts and started the capture / debug send some test packet and the output will tell you which rule you are matching on.
08-17-2023 08:37 AM
I send you message
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide