I would appreciate if you

vaibhav.parlekar1 · ‎07-11-2017

Hi,

We have rules enabled with IPS policies in place. However, we can see that certain rules are not being inspected by IPS and they are being fast-pathed in the firewall.

I can see the fast-forwarded flows in the show snort statistics command on the Cli. We are using the default pre-filter policy on the FTD. I am not able to figure out the reason why flows are being fast-forwarded and could not find any way to change the behavior.

Is there a command to disable the fastpath processing in FTD. Has someone seen this behavior before, please advise.

Vaibhav

Dinesh Verma · ‎07-12-2017

Hi Vaibhav,

This is not about the Pre-filter policy but the rules you've created in ACL policy with trust action. I quickly created a trust rule in my lab for social network and I could see fastpath flow counters increasing. Take a look to before and after:

Before:

> show snort statistics

Packet Counters:
Passed Packets 6904
Blocked Packets 0
Injected Packets 0
Packets bypassed (Snort Down) 0
Packets bypassed (Snort Busy) 0

Flow Counters:
Fast-Forwarded Flows 0
Blacklisted Flows 0

Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0

After (creating trust rule):

> show snort statistics

Packet Counters:
Passed Packets 12662
Blocked Packets 25
Injected Packets 0
Packets bypassed (Snort Down) 1466
Packets bypassed (Snort Busy) 0

Flow Counters:
Fast-Forwarded Flows 6
Blacklisted Flows 0

Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0
>

Bottom line is, it is something to do with ACL policy. Let me know if you've any query.

Regards,
Dv

vaibhav.parlekar1 · ‎07-12-2017

Hi DV,

Thanks for your prompt response. But my findings are different than yours.

I am testing a simple rule for internet access with DNS, HTTP & HTTPS applications allowed in the mandatory rule category. A block all rule in the default rule category with logging enabled to see what else I am blocking. I am using the default pre-filter policy with no IPS policy & the default balanced connectivity & security profile for network analysis policy in the advanced setting of the rule. In the show snort stats i don't see any fast-forwarded flows as expected.

I change the rule action to trust in the show snort stats I can see passed packets and no. of flows in the fast-forwarded flows as expected.

Now when I change the rule action back to allow and use a IPS policy of maximum detection & also use maximum detection in the network analysis policy. Now in the show snort stats I can see fast-forwarded flows. This shouldn't be the case as the rule action is allow so all the flows should be inspected by IPS & not fast-forwarded. Also I can see blacklisted flows. Where can I see the blacklisted flows & what is the way to clear them.

Is there something obvious that I am missing out here.

Please let me know.

Vaibhav

Dinesh Verma · ‎07-12-2017

I would appreciate if you could share snapshot of your policy rule.

Regards,
Dv

vaibhav.parlekar1 · ‎07-13-2017

The issue is only seen when I am using an Intrusion prevention policy in the rule. If I remove that the issue is gone.

or even if I am using IPS as the default action in the rule the issue is gone. Looks like it's a bug.

I have attached my test policy. let me know if my rulebase is the problem.

Vaibhav

#Mat · ‎09-14-2020

Hi there, I know this is an old post, but here are the reasons why you find many "fast forward flows":

SSL traffic without an SSL policy configured
Intelligent application bypass(IAB)

This doc has a detailed explanation:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html

Regards.

.

how to disable fast-path in FTD 6.2.0