07-11-2017 10:12 PM - edited 02-21-2020 06:12 AM
Hi,
We have rules enabled with IPS policies in place. However, we can see that certain rules are not being inspected by IPS and they are being fast-pathed in the firewall.
I can see the fast-forwarded flows in the show snort statistics command on the Cli. We are using the default pre-filter policy on the FTD. I am not able to figure out the reason why flows are being fast-forwarded and could not find any way to change the behavior.
Is there a command to disable the fastpath processing in FTD. Has someone seen this behavior before, please advise.
Vaibhav
07-12-2017 12:05 AM
Hi Vaibhav,
This is not about the Pre-filter policy but the rules you've created in ACL policy with trust action. I quickly created a trust rule in my lab for social network and I could see fastpath flow counters increasing. Take a look to before and after:
Before:
> show snort statistics
Packet Counters:
Passed Packets 6904
Blocked Packets 0
Injected Packets 0
Packets bypassed (Snort Down) 0
Packets bypassed (Snort Busy) 0
Flow Counters:
Fast-Forwarded Flows 0
Blacklisted Flows 0
Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0
After (creating trust rule):
> show snort statistics
Packet Counters:
Passed Packets 12662
Blocked Packets 25
Injected Packets 0
Packets bypassed (Snort Down) 1466
Packets bypassed (Snort Busy) 0
Flow Counters:
Fast-Forwarded Flows 6
Blacklisted Flows 0
Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 0
Denied flow events 0
Frames forwarded to Snort before drop 0
Inject packets dropped 0
>
Bottom line is, it is something to do with ACL policy. Let me know if you've any query.
Regards,
Dv
07-12-2017 10:02 AM
Hi DV,
Thanks for your prompt response. But my findings are different than yours.
I am testing a simple rule for internet access with DNS, HTTP & HTTPS applications allowed in the mandatory rule category. A block all rule in the default rule category with logging enabled to see what else I am blocking. I am using the default pre-filter policy with no IPS policy & the default balanced connectivity & security profile for network analysis policy in the advanced setting of the rule. In the show snort stats i don't see any fast-forwarded flows as expected.
I change the rule action to trust in the show snort stats I can see passed packets and no. of flows in the fast-forwarded flows as expected.
Now when I change the rule action back to allow and use a IPS policy of maximum detection & also use maximum detection in the network analysis policy. Now in the show snort stats I can see fast-forwarded flows. This shouldn't be the case as the rule action is allow so all the flows should be inspected by IPS & not fast-forwarded. Also I can see blacklisted flows. Where can I see the blacklisted flows & what is the way to clear them.
Is there something obvious that I am missing out here.
Please let me know.
Vaibhav
07-12-2017 08:30 PM
I would appreciate if you could share snapshot of your policy rule.
Regards,
Dv
07-13-2017 05:37 PM
The issue is only seen when I am using an Intrusion prevention policy in the rule. If I remove that the issue is gone.
or even if I am using IPS as the default action in the rule the issue is gone. Looks like it's a bug.
I have attached my test policy. let me know if my rulebase is the problem.
Vaibhav
09-14-2020 04:46 PM
Hi there, I know this is an old post, but here are the reasons why you find many "fast forward flows":
This doc has a detailed explanation:
Regards.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide