I have a server to which I only allow certain IP's. While reviewing events, I could see traffic from an IP which is not in the allowed list being allowed through but have been unable to determine why it has been allowed.

Below is the output of a packet trace.

FTD-000-01# packet-tracer input outside tcp X.X.X.X 40446 X.X.X.X 443

Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Elapsed time: 13824 ns
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: No ECMP load balancing
Result: ALLOW
Elapsed time: 11776 ns
Config:
Additional Information:
Destination is locally connected. No ECMP load balancing.
Found next-hop X.X.X.X using egress ifc DMZ01(vrfid:0)

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 5888 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ipinip any any rule-id 268467218
access-list CSM_FW_ACL_ remark rule-id 268467218: PREFILTER POLICY: FTD-000-01
access-list CSM_FW_ACL_ remark rule-id 268467218: RULE: DEFAULT TUNNEL ACTION RU LE
Additional Information:
This packet will be sent to snort for additional processing where a verdict wil l be reached

Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 5888 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 5888 ns
Config:
Additional Information:

Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 5888 ns
Config:
Additional Information:

Phase: 7
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 26112 ns
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 38400 ns
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 19456 ns
Config:
Additional Information:
New flow created with id 127495114, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 20480 ns
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 18398 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)

Phase: 13
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 253556 ns
Config:
Network 0, Inspection 0, Detection 3, Rule ID 268480521
Additional Information:
Starting rule matching, zone 11 -> 7, geo 0 -> 0, vlan 0, src sgt: 0, src sgt ty pe: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268468302 - Audit; 268480521 - Allow

Phase: 14
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 5632 ns
Config:
Additional Information:
Found next-hop X.X.X.X using egress ifc DMZ01(vrfid:0)

Phase: 15
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 2560 ns
Config:
Additional Information:
Found adjacency entry for Next-hop X.X.X.X on interface DMZ01
Adjacency :Active
MAC address 0050.56bc.e1b9 hits 79753 reference 5

Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: DMZ01(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 434770 ns