Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
737
Views
1
Helpful
22
Replies

permit ip ifc outside any any

velusamycs
Level 1
Level 1

‎04-12-2024 07:04 AM

We have FMC and FTD , In FMC we configured Blocked traffic ACCESS POLICY , but while checking in FTD(CLI) one more ACL( Ifc Outside any any allow) showing with same rule-id 26844160.   any ideas how to find this ACL in FMC



ACL in FTD 
========
access-list CSM_FW_ACL_ line 17 remark rule-id 268441601: ACCESS POLICY: FTD-Mig-ACP-1584501209 - Default
access-list CSM_FW_ACL_ line 18 remark rule-id 268441601: L7 RULE: Blocked Traffic
access-list CSM_FW_ACL_ line 19 advanced deny ip ifc outside host x.x.x.x any rule-id 268441601 (hitcnt=0) 0x70ce5f02
access-list CSM_FW_ACL_ line 20 advanced permit ip ifc outside any any rule-id 268441601 (hitcnt=39080962) 0x8793b97e

FMC 

velusamycs_0-1712930570610.png

 




Thank you 

0 Helpful
22 Replies 22

Marius Gunnerud
VIP
VIP
In response to velusamycs

‎04-13-2024 03:31 PM

The access rule will show up as permit any any if you are using any services that is inspected by SNORT to drop the traffic.  That would include Geo location, URL filtering, Application, etc.  As the action is being taken in the SNORT process the LINA ACL needs to permit the traffic so it can reach SNORT which is why you are seeing a permit any any rule.

--
Please remember to select a correct answer and rate helpful posts

titusroz03
Level 1
Level 1
In response to Marius Gunnerud

‎06-18-2024 12:09 AM

Does the SNORT engine handles(Allow/deny) the packet as per the LINA ACL..?

0 Helpful

MHM Cisco World
VIP
VIP
In response to velusamycs

‎04-15-2024 10:43 AM

You can try 

System support trace

Which from my opinion must accurte than packet tracer to show traffic path through snort

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-16-2024 04:33 AM

Share output of

System support trace 

MHM

0 Helpful

Marius Gunnerud
VIP
VIP
In response to velusamycs

‎04-15-2024 10:45 AM

Yes you are correct.  Any traffic that will be sent to snort for inspection and action will have an any any permit rule.  This is to allow the traffic through LINA so it can reach SNORT where further action will be taken.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to velusamycs

‎04-16-2024 05:30 AM

Exactly correct @velusamycs - thanks for those links.

0 Helpful

Aref Alsouqi
VIP
VIP

‎04-16-2024 04:29 AM - edited ‎04-16-2024 04:30 AM

I agree with @Marius Gunnerud, the packet would need to leave Lina engine going to Snort engine, Snort then returns a verdict of that packet marking it to be allowed or dropped, it doesn't allow it or block it itself. However, as mentioned by @Marius Gunnerud if you don't have any next gen security inspection features enabled on the ACP, you wouldn't see that allow rule you shared because in that case Snort engine wouldn't be involved.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card