04-12-2024 07:04 AM
We have FMC and FTD , In FMC we configured Blocked traffic ACCESS POLICY , but while checking in FTD(CLI) one more ACL( Ifc Outside any any allow) showing with same rule-id 26844160. any ideas how to find this ACL in FMC
ACL in FTD
========
access-list CSM_FW_ACL_ line 17 remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ line 18 remark rule-id 268441601: L7 RULE: Blocked Traffic
access-list CSM_FW_ACL_ line 19 advanced deny ip ifc outside host x.x.x.x any rule-id 268441601 (hitcnt=0) 0x70ce5f02
access-list CSM_FW_ACL_ line 20 advanced permit ip ifc outside any any rule-id 268441601 (hitcnt=39080962) 0x8793b97e
FMC
Thank you
04-12-2024 07:14 AM
Check the default action in your FMC ACP.
04-12-2024 07:24 AM
04-12-2024 07:35 AM
"show access-list" (not "show running-config access-list") will expand the elements of your ACLs. We would expect expanded elements of an ACL entry to all have the same rule-id.
04-12-2024 07:27 AM
Show run access-list <- from cli ftd share this
MHM
04-12-2024 08:01 AM
Show access-list.
While doing packet tracer from any Outside to Inside traffic always taking this rule (permit ip ifc outside any any).
04-12-2024 08:09 AM
Rule-id is 268441601
The line 17'18'19'20 is same ACL.
The ACL is L7 so it match app.
So the traffic pass until FTD detect APP then this ACL will work permit or deny.
If you do packet capture' you will see ACL with app unknown
Do again using same IP and you will see the APP known and real action apply.
MHM
04-12-2024 08:15 AM
@MHM Cisco World all ACP entries show up as L7 rules in the cli. If you look at the original post however, note that no Application was specified in the rule itself.
04-12-2024 08:13 AM
I'm not seeing the origin of the "permit ip ifc outside any any" entry in what you have shared. In any event, why would you want to block only one incoming IP address in the ACL and not everything?
04-12-2024 08:25 AM
Specifically In Blocked Traffic we added 1 IP address and One Geo location also in source network.
04-12-2024 12:53 PM
Specifically In Blocked Traffic we added 1 IP address and One Geo location also in source network
So, what's the question then? This ACP rule was correctly expanded into 2 Lina ACEs and in the packet-tracer you see how they're matched. The GEO part was programmed as "allow" Lina ACE to allow traffic reach "Snort" part of the system.
04-12-2024 08:23 AM
Note : In Blocked Traffic we added 1 IP address and One Geo location also in source network.
FLOW for OUTSIDE TO INSIDE (BLOCKED IP )
#
#
#packet-tracer input outside tcp A.A.A.A 123 X.X.X.X $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 256 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc outside host A.A.A.A any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 21760 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d0c3144578 flow (NA)/NA
#
#
#
#
#
#
OUTSIDE TO INSIDE- TRAFFIC FLOW
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
#packet-tracer input outside tcp X.X.X.X 123 Y.Y.Y.Y 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 3712 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc outside any any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 32256 ns
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 7168 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 34816 ns
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 26624 ns
Config:
Additional Information:
New flow created with id 95662948, packet dispatched to next module
Phase: 13
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 19968 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 13768 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)
Phase: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 86380 ns
Config:
Network 0, Inspection 0, Detection 2, Rule ID 268434438
Additional Information:
Starting rule matching, zone 3 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434438 - Allow
Phase: 16
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 7168 ns
Config:
Additional Information:
Found next-hop 10.0.0.10 using egress ifc inside(vrfid:0)
Phase: 17
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.0.0.10 on interface inside
Adjacency :Active
MAC address 0015.5d00.1a14 hits 28295 reference 4
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 267060 ns
#
04-12-2024 09:18 AM
I think you meaning second packet-tracer is for geo IP'
If that correct then check below what you see in packet tracer
""This packet will be sent to snort for additional processing where a verdict will be reached""
It L7 if there is no app then it geo what need to inspect by snort.
Do packet-tracer again for geo IP and check block
Note:- this process is not seem in fmc event what you will see it last deny/permit event
MHM
04-12-2024 08:51 AM
#
#
#
#
#
#packet-tracer input outside tcp A.A.A.A 123 X.X.X.X $
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: DROP
Elapsed time: 256 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip ifc outside host A.A.A.A any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: drop
Time Taken: 21760 ns
Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d0c3144578 flow (NA)/NA
#
#
#
#
#
#
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
#packet-tracer input outside tcp X.X.X.X 123 Y.Y.Y.Y 443
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Elapsed time: 19456 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
NAT divert to egress interface inside(vrfid:0)
Untranslate Y.Y.Y.Y/443 to 10.0.0.10/443
Phase: 2
Type: OBJECT_GROUP_SEARCH
Subtype:
Result: ALLOW
Elapsed time: 0 ns
Config:
Additional Information:
Source Object Group Match Count: 1
Destination Object Group Match Count: 4
Object Group Search: 4
Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Elapsed time: 3712 ns
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc outside any any rule-id 268441601
access-list CSM_FW_ACL_ remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ remark rule-id 268441601: L7 RULE: Blocked Traffic
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Phase: 4
Type: CONN-SETTINGS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
class-map class-default
match any
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
Phase: 5
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:
Phase: 6
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 3712 ns
Config:
Additional Information:
Phase: 7
Type: FOVER
Subtype: standby-update
Result: ALLOW
Elapsed time: 32256 ns
Config:
Additional Information:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: ALLOW
Elapsed time: 1024 ns
Config:
Additional Information:
Phase: 9
Type: NAT
Subtype: rpf-check
Result: ALLOW
Elapsed time: 7168 ns
Config:
object network Server-001
nat (inside,outside) static External-Server-001
Additional Information:
Phase: 10
Type: NAT
Subtype: per-session
Result: ALLOW
Elapsed time: 34816 ns
Config:
Additional Information:
Phase: 11
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Elapsed time: 512 ns
Config:
Additional Information:
Phase: 12
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Elapsed time: 26624 ns
Config:
Additional Information:
New flow created with id 95662948, packet dispatched to next module
Phase: 13
Type: EXTERNAL-INSPECT
Subtype:
Result: ALLOW
Elapsed time: 19968 ns
Config:
Additional Information:
Application: 'SNORT Inspect'
Phase: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Elapsed time: 13768 ns
Config:
Additional Information:
service: (0), client: (0), payload: (0), misc: (0)
Phase: 15
Type: SNORT
Subtype: firewall
Result: ALLOW
Elapsed time: 86380 ns
Config:
Network 0, Inspection 0, Detection 2, Rule ID 268434438
Additional Information:
Starting rule matching, zone 3 -> 1, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268434438 - Allow
Phase: 16
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Elapsed time: 7168 ns
Config:
Additional Information:
Found next-hop 10.0.0.10 using egress ifc inside(vrfid:0)
Phase: 17
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Elapsed time: 3072 ns
Config:
Additional Information:
Found adjacency entry for Next-hop 10.0.0.10 on interface inside
Adjacency :Active
MAC address 0015.5d00.1a14 hits 28295 reference 4
Result:
input-interface: outside(vrfid:0)
input-status: up
input-line-status: up
output-interface: inside(vrfid:0)
output-status: up
output-line-status: up
Action: allow
Time Taken: 267060 ns
#
04-12-2024 12:18 PM
Sorry ypu hide the IP and it not clear this packet-tracer for which IP
MHM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide