Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1924
Views
0
Helpful
3
Replies

Not sure if Firesight is blocking correctly

Go to solution
Colin Higgins
Level 2
Level 2

‎04-19-2017 11:16 AM - edited ‎03-10-2019 06:49 AM

I have a pair of firewalls (ASA 5555X) with Firepower modules in them that are managed by FMC

I created a rule in FMC blocking any NetBIOS traffic (TCP 137, 445, etc.) from RFC 1918 address space (internal networks) to "any".

I then added an ACL rule on an internal host permitting TCP 445 to any host on the Internet on my ASA. 

If I run a packet-tracer on the firewall, I see the traffic get passed up to the Firepower module, but the final result is that the traffic is allowed. I would expect that after going through the ACL, the traffic would be passed up to the Firepower module that would then match it against the NetBIOS rule and block it. 

I've also tried this using security zones, but to the same effect.

Am I missing something here?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-19-2017 09:07 PM

The ASA packet-tracer does not interact with the logic internal to the FirePOWER service module.

Instead try looking in the Connection Events of the FirePOWER module using FMC. You should see a BLOCK action there if your Access Control Policy rule is properly implemented.

Also, note that FMC 6.2 added a packet-tracer functionality (for FTD devices only).

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html?#id_41641

That packet-tracer does integrate the FirePOWER rules.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-19-2017 09:07 PM

The ASA packet-tracer does not interact with the logic internal to the FirePOWER service module.

Instead try looking in the Connection Events of the FirePOWER module using FMC. You should see a BLOCK action there if your Access Control Policy rule is properly implemented.

Also, note that FMC 6.2 added a packet-tracer functionality (for FTD devices only).

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/troubleshooting_the_system.html?#id_41641

That packet-tracer does integrate the FirePOWER rules.

0 Helpful

Go to solution
Colin Higgins
Level 2
Level 2
In response to Marvin Rhoads

‎04-20-2017 07:00 AM

One more question Marvin:

If I go into my FMC and specify that I want to log at the beginning of the connection for this particular NETBIOS blocking rule, and then run a packet-tracer on the firewall, should a connection event appear in the Analysis-->Connections-->Events screen?

I don't see anything in there right now after doing some traces.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Colin Higgins

‎04-20-2017 07:14 AM

That's a good question. I haven't tried that.

I do recall that the ASA informational level log event does get created as a result of running packet-tracer. I'm not sure if the internal logic actually passes the artificial packet to the FirePOWER module for inspection.

Based on your results, I am guessing it does not.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card