cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1801
Views
0
Helpful
5
Replies

how to disable fast-path in FTD 6.2.0

Hi,

We have rules enabled with IPS policies in place. However, we can see that certain rules are not being inspected by IPS and they are being fast-pathed in the firewall.

I can see the fast-forwarded flows in the show snort statistics command on the Cli. We are using the default pre-filter policy on the FTD. I am not able to figure out the reason why flows are being fast-forwarded and could not find any way to change the behavior.

Is there a command to disable the fastpath processing in FTD. Has someone seen this behavior before, please advise.

Vaibhav

5 REPLIES 5
Dinesh Verma
Cisco Employee

Hi Vaibhav,

This is not about the Pre-filter policy but the rules you've created in ACL policy with trust action. I quickly created a trust rule in my lab for social network and I could see fastpath flow counters increasing. Take a look to before and after:

Before:

> show snort statistics

Packet Counters:
Passed Packets 6904
Blocked Packets 0
Injected Packets 0
Packets bypassed (Snort Down) 0
Packets bypassed (Snort Busy) 0

Flow Counters:
Fast-Forwarded Flows 0
Blacklisted Flows 0

Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0

After (creating trust rule):

> show snort statistics

Packet Counters:
Passed Packets 12662
Blocked Packets 25
Injected Packets 0
Packets bypassed (Snort Down) 1466
Packets bypassed (Snort Busy) 0

Flow Counters:
Fast-Forwarded Flows 6
Blacklisted Flows 0

Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0
>

Bottom line is, it is something to do with ACL policy. Let me know if you've any query.

Regards,
Dv

Hi DV, 

Thanks for your prompt response. But my findings are different than yours. 

I am testing a simple rule for internet access with DNS, HTTP & HTTPS applications allowed in the mandatory rule category. A block all rule in the default rule category with logging enabled to see what else I am blocking. I am using the default pre-filter policy with no IPS policy & the default balanced connectivity & security profile for network analysis policy in the advanced setting of the rule. In the show snort stats i don't see any fast-forwarded flows as expected. 

I change the rule action to trust in the show snort stats I can see passed packets and no. of flows in the fast-forwarded flows as expected. 

Now when I change the rule action back to allow and use a IPS policy of maximum detection & also use maximum detection in the network analysis policy. Now in the show snort stats I can see fast-forwarded flows. This shouldn't be the case as the rule action is allow so all the flows should be inspected by IPS & not fast-forwarded. Also I can see blacklisted flows. Where can I see the blacklisted flows & what is the way to clear them. 

Is there something obvious that I am missing out here. 

Please let me know. 

Vaibhav

I would appreciate if you could share snapshot of your policy rule.

Regards,
Dv

The issue is only seen when I am using an Intrusion prevention policy in the rule. If I remove that the issue is gone.

or even if I am using IPS as the default action in the rule the issue is gone. Looks like it's a bug.

I have attached my test policy. let me know if my rulebase is the problem.

Vaibhav

#Mat
Frequent Contributor

Hi there, I know this is an old post, but here are the reasons why you find many "fast forward flows":

  1. SSL traffic without an SSL policy configured
  2. Intelligent application bypass(IAB)

 

This doc has a detailed explanation:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

 

Regards.

 

.
Content for Community-Ad