cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2498
Views
0
Helpful
2
Replies

Packet tracer with firepower application IDs

sanchezeldorado
Level 1
Level 1

Hello,

 

I recently started updating my ACL rules on my FTD devices in FMC from using ports to using application filters. The problem I've been running up against is trying to use packet tracer to identify what rule will get hit in a given scenario. It seems like packet tracer shows the first rule that matches the correct zone and IP address. It shows the traffic allowed pending AppID. Even though the AppID in the rule doesn't match the port I'm using in packet tracer. This is especially frustrating when I'm asked to add a new rule and I have to sort through 100 ACLs that are all referencing objects. I can't quickly determine if there is a rule that already accommodates the access needed.

 

The easiest way I've found to do this at the moment is to either packet capture, or use the event viewer(Assuming it hits a rule that is logging). Is Packet Tracer now completely useless with APPIDs? Or is there a better way to do this?

 

Thanks!

1 Accepted Solution

Accepted Solutions

@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.

View solution in original post

2 Replies 2

@sanchezeldorado you'd have to generate real traffic rather than simulate the flow, but you can run the command "system support firewall-engine-debug" filter on the src, dst ip or port whilst generating traffic, this will tell you what rule the traffic eventually matches.

I figured that would be the case. Thanks for answering. It would be nice if cisco would add a feature to the packet-tracer to specify an optional AppID. I've lived in packet tracer in the past.

Review Cisco Networking for a $25 gift card