Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2555
Views
0
Helpful
4
Replies

NGFW and port scanner

Go to solution
moskalevas
Level 1
Level 1

‎05-29-2020 12:43 AM

Hello everyone, please help with an understanding of NGFW processes.
When scanning an external network protected by firepower ftd 2130, the scanner shows open ports on hosts that are explicitly closed in FMC, and when trying to connect to an allegedly "open" port, we already see that FMS blocks it by displaying an information message.
How can this be, the closed ports glow from the outside as open, but in fact the FMS blocks them?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
moskalevas
Level 1
Level 1

‎06-30-2020 12:54 AM

Readind the article (https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc21) where it says that snort filters the application level, and in order to understand what kind of application it specially skips part of the synchronization packets (SYN), this is enough for npam

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎05-29-2020 05:00 AM

Can you provide more information please? What ports appear to be open and are you positive the reply comes from the NGFW?

Recently a member reported the same thing and went back and forth over 20 messages and in the end it was an upstream firewall with an ALG (Application Layer Gateway) that was sending the replies to a scanner.

0 Helpful

Go to solution
moskalevas
Level 1
Level 1
In response to Marvin Rhoads

‎05-29-2020 05:16 AM

thanks for reply, i'm sure that answer coming from ngfw, "custom Response Page", example: host behind ngfw, port 80 open on this host, on ngfw port for this host is locked, after scanning the external network, the result shows that the port is open, which does not actually connect
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to moskalevas

‎05-30-2020 07:20 AM

We would not see a custom response page from a standard blocking rule. You must have that explicitly configured in the policy. If the NGFW sends a response page then, yes, a port scanner wouldn't have enough information to ascertain that it was from the NGFW and not the protected host.

0 Helpful

Go to solution
moskalevas
Level 1
Level 1

‎06-30-2020 12:54 AM

Readind the article (https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc21) where it says that snort filters the application level, and in order to understand what kind of application it specially skips part of the synchronization packets (SYN), this is enough for npam
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card