10-21-2021 10:38 AM
Hello,
I recently started updating my ACL rules on my FTD devices in FMC from using ports to using application filters. The problem I've been running up against is trying to use packet tracer to identify what rule will get hit in a given scenario. It seems like packet tracer shows the first rule that matches the correct zone and IP address. It shows the traffic allowed pending AppID. Even though the AppID in the rule doesn't match the port I'm using in packet tracer. This is especially frustrating when I'm asked to add a new rule and I have to sort through 100 ACLs that are all referencing objects. I can't quickly determine if there is a rule that already accommodates the access needed.
The easiest way I've found to do this at the moment is to either packet capture, or use the event viewer(Assuming it hits a rule that is logging). Is Packet Tracer now completely useless with APPIDs? Or is there a better way to do this?
Thanks!
Solved! Go to Solution.
10-21-2021 11:09 AM
@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.
10-21-2021 11:09 AM
@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.
10-21-2021 11:40 AM
I figured that would be the case. Thanks for answering. It would be nice if cisco would add a feature to the packet-tracer to specify an optional AppID. I've lived in packet tracer in the past.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide