Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
2
Replies

Packet tracer with firepower application IDs

Go to solution
sanchezeldorado
Level 1
Level 1

‎10-21-2021 10:38 AM

Hello,

 

I recently started updating my ACL rules on my FTD devices in FMC from using ports to using application filters. The problem I've been running up against is trying to use packet tracer to identify what rule will get hit in a given scenario. It seems like packet tracer shows the first rule that matches the correct zone and IP address. It shows the traffic allowed pending AppID. Even though the AppID in the rule doesn't match the port I'm using in packet tracer. This is especially frustrating when I'm asked to add a new rule and I have to sort through 100 ACLs that are all referencing objects. I can't quickly determine if there is a rule that already accommodates the access needed.

 

The easiest way I've found to do this at the moment is to either packet capture, or use the event viewer(Assuming it hits a rule that is logging). Is Packet Tracer now completely useless with APPIDs? Or is there a better way to do this?

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎10-21-2021 11:09 AM

@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎10-21-2021 11:09 AM

@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.

0 Helpful

Go to solution
sanchezeldorado
Level 1
Level 1
In response to Rob Ingram

‎10-21-2021 11:40 AM

I figured that would be the case. Thanks for answering. It would be nice if cisco would add a feature to the packet-tracer to specify an optional AppID. I've lived in packet tracer in the past.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card