Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
694
Views
0
Helpful
0
Replies

Mandatory rule in FMC causes network breach.

rhuysmans
Level 1
Level 1

‎07-08-2021 04:43 PM

Hello peers,

I have a customer who discovered that their internal servers, ones that were NATed to a public IP address and had specific ports open for access from the internet, eg HTTPS or SMTP, were being bombarded by all sorts of internet traffic on a variety of ports, eg telnet, SSH, RDP, SMB, and many more, directly on their server interfaces.

 

The local firewalls on the servers were thankfully blocking this but when I was investigating I couldn't see this traffic going through their 2130 FTD firewall.

 

As part of my investigation I was able to SSH onto a server from my own lab site, through their firewall, no problems. 

I ran a trace on this traffic and found that a mandatory rule that the customer had created a few days ago was allowing all this Internet traffic through the firewall.

 

Looking at the rule, all it was doing was blocking a number of domain names in a URL list. Zone was ANY, Network was ANY, everything was the default with a "Block with Reset" and the URL list. I've attached a picture.

 

I disabled this rule and the traffic breach stopped immediately. Can anyone see anything in the rule that might allow traffic to go through the firewall, unchecked, to the internal servers? The rule looks fairly plain.  Any thoughts, comments are appreciated. The rule in the picture, attached, has already been disabled when I took the screenshot, for obvious reasons.

 

Many thanks. 

 

 

 

Preview file
44 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card