Output no prefilter

Packet Details:
09:22:08.305 - 1.1.1.1:1 > 217.146.101.212:8443 TCP
GC2_Outside(vrfid:2)

CAPTURE
Type:
CAPTURE
Result:
ALLOW
Config:
Elapsed Time:
25889 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb801f4b0, priority=13, domain=capture, deny=false
hits=140103, user_data=0xffd9c900e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=GC2_Outside, output_ifc=any

ACCESS-LIST
Type:
ACCESS-LIST
Result:
ALLOW
Config:
Implicit Rule
Elapsed Time:
25889 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb452d080, priority=1, domain=permit, deny=false
hits=5797287, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GC2_Outside, output_ifc=any

UN-NAT
| static
Type:
UN-NAT
Subtype:
static
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
19915 ns

Additional Information
NAT divert to egress interface DMZ_POD2_EXT(vrfid:2)
Untranslate 217.146.101.212/8443 to 172.16.230.19/8443

OBJECT_GROUP_SEARCH
Type:
OBJECT_GROUP_SEARCH
Result:
ALLOW
Config:
Elapsed Time:
0 ns

Additional Information
Source Object Group Match Count: 1
Destination Object Group Match Count: 2
Object Group Search: 2

ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip ifc GC2_Outside any ifc DMZ_POD2_EXT any rule-id 268443040 access-list CSM_FW_ACL_ remark rule-id 268443040: ACCESS POLICY:ACP_PCH_INTERNET Default access-list CSM_FW_ACL_ remark rule-id 268443040: L7 RULE:outside_access_horizion_block
Elapsed Time:
796 ns

Additional Information
This packet will be sent to snort for additional processing where a verdict will be reached
Forward Flow based lookup yields rule:
in id=0xffb40ab910, priority=12, domain=permit, deny=false
hits=2, user_data=0x5586a1da00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=GC2_Outside(vrfid:2)
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=DMZ_POD2_EXT(vrfid:2),, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

CONN-SETTINGS
Type:
CONN-SETTINGS
Result:
ALLOW
Config:
class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffe29e22d0, priority=7, domain=conn-set, deny=false
hits=17335, user_data=0xffe29dec20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
Type:
NAT
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
796 ns

Additional Information
Static translate 1.1.1.1/1 to 1.1.1.1/1
Forward Flow based lookup yields rule:
in id=0xffb9add2f0, priority=6, domain=nat, deny=false
hits=1368, user_data=0xffb93fe170, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=217.146.101.212, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93756, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb4532010, priority=0, domain=inspect-ip-options, deny=true
hits=58065, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

FOVER
| standby-update
Type:
FOVER
Subtype:
standby-update
Result:
ALLOW
Config:
Elapsed Time:
34709 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffdc592590, priority=20, domain=lu, deny=false
hits=14309, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
| rpf-check
Type:
NAT
Subtype:
rpf-check
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
10242 ns

Additional Information
Forward Flow based lookup yields rule:
out id=0xffb9add720, priority=6, domain=nat-reverse, deny=false
hits=1278, user_data=0xffb8277c50, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
71125 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
1707 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0xffd84dcdf0, priority=0, domain=inspect-ip-options, deny=true
hits=14497, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=DMZ_POD2_EXT(vrfid:2), output_ifc=any

FLOW-CREATION
Type:
FLOW-CREATION
Result:
ALLOW
Config:
Elapsed Time:
63159 ns

Additional Information
New flow created with id 68454, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_snort
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_snort
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

EXTERNAL-INSPECT
Type:
EXTERNAL-INSPECT
Result:
ALLOW
Config:
Elapsed Time:
23329 ns

Additional Information
Application: 'SNORT Inspect'

SNORT
| appid
Type:
SNORT
Subtype:
appid
Result:
ALLOW
Config:
Elapsed Time:
15760 ns

Additional Information
service: (0), client: (0), payload: (0), misc: (0)

SNORT
| firewall
Type:
SNORT
Subtype:
firewall
Result:
DROP
Config:
Network 0, Inspection 0, Detection 4, Rule ID 268443040
Elapsed Time:
291876 ns

Additional Information
Starting rule matching, zone 41 -> 14, geo 840 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xff
Matched rule ids 268443040 - Block

Result: drop
Input Interface:
GC2_Outside(vrfid:2)
Input Status:
up
Input Line Status:
up
Output Interface:
DMZ_POD2_EXT(vrfid:2)
Output Status:
up
Output Line Status:
up
Action:
drop
Time Taken:
587580 ns
Drop Reason:
(firewall) Blocked or blacklisted by the firewall preprocessor
Drop Detail:
Drop-location: frame 0x000000aaaec0a208 flow (NA)/NA
DMZ_POD2_EXT(vrfid:2)

Output with prefilter

Packet Details:
12:43:15.40 - 1.1.1.1:1 > 217.146.101.212:8443 TCP
GC2_Outside(vrfid:2)

CAPTURE
Type:
CAPTURE
Result:
ALLOW
Config:
Elapsed Time:
27596 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb801f4b0, priority=13, domain=capture, deny=false
hits=140105, user_data=0xffd9c900e0, cs_id=0x0, l3_type=0x0
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0000.0000.0000
input_ifc=GC2_Outside, output_ifc=any

ACCESS-LIST
Type:
ACCESS-LIST
Result:
ALLOW
Config:
Implicit Rule
Elapsed Time:
27596 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb452d080, priority=1, domain=permit, deny=false
hits=5797288, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=GC2_Outside, output_ifc=any

UN-NAT
| static
Type:
UN-NAT
Subtype:
static
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
21622 ns

Additional Information
NAT divert to egress interface DMZ_POD2_EXT(vrfid:2)
Untranslate 217.146.101.212/8443 to 172.16.230.19/8443

OBJECT_GROUP_SEARCH
Type:
OBJECT_GROUP_SEARCH
Result:
ALLOW
Config:
Elapsed Time:
0 ns

Additional Information
Source Object Group Match Count: 1
Destination Object Group Match Count: 2
Object Group Search: 2

ACCESS-LIST
| log
Type:
ACCESS-LIST
Subtype:
log
Result:
ALLOW
Config:
access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced trust ip ifc GC2_Outside any ifc DMZ_POD2_EXT object DMZUAG_VIP4 rule-id 268443041 event-log flow-end access-list CSM_FW_ACL_ remark rule-id 268443041: PREFILTER POLICY: PF_PCH_INTERNET access-list CSM_FW_ACL_ remark rule-id 268443041: RULE: VDI-ALLOW
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffd23867f0, priority=12, domain=permit, trust
hits=0, user_data=0x5588911880, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=GC2_Outside(vrfid:2)
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, ifc=DMZ_POD2_EXT(vrfid:2),, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

CONN-SETTINGS
Type:
CONN-SETTINGS
Result:
ALLOW
Config:
class-map class-default match any policy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAP service-policy global_policy global
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffe29e22d0, priority=7, domain=conn-set, deny=false
hits=17336, user_data=0xffe29dec20, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
Type:
NAT
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
796 ns

Additional Information
Static translate 1.1.1.1/1 to 1.1.1.1/1
Forward Flow based lookup yields rule:
in id=0xffb9add2f0, priority=6, domain=nat, deny=false
hits=1369, user_data=0xffb93fe170, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=217.146.101.212, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93758, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
796 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffb4532010, priority=0, domain=inspect-ip-options, deny=true
hits=58066, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

FOVER
| standby-update
Type:
FOVER
Subtype:
standby-update
Result:
ALLOW
Config:
Elapsed Time:
34709 ns

Additional Information
Forward Flow based lookup yields rule:
in id=0xffdc592590, priority=20, domain=lu, deny=false
hits=14310, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=any

NAT
| rpf-check
Type:
NAT
Subtype:
rpf-check
Result:
ALLOW
Config:
nat (DMZ_POD2_EXT,GC2_Outside) source static DMZUAG_VIP4 obj_217.146.101.212
Elapsed Time:
10811 ns

Additional Information
Forward Flow based lookup yields rule:
out id=0xffb9add720, priority=6, domain=nat-reverse, deny=false
hits=1279, user_data=0xffb8277c50, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=172.16.230.19, mask=255.255.255.255, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=GC2_Outside(vrfid:2), output_ifc=DMZ_POD2_EXT(vrfid:2)

NAT
| per-session
Type:
NAT
Subtype:
per-session
Result:
ALLOW
Config:
Elapsed Time:
60883 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0x55a461b2d0, priority=0, domain=nat-per-session, deny=false
hits=93760, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=any

IP-OPTIONS
Type:
IP-OPTIONS
Result:
ALLOW
Config:
Elapsed Time:
2276 ns

Additional Information
Reverse Flow based lookup yields rule:
in id=0xffd84dcdf0, priority=0, domain=inspect-ip-options, deny=true
hits=14498, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=DMZ_POD2_EXT(vrfid:2), output_ifc=any

FLOW-CREATION
Type:
FLOW-CREATION
Result:
ALLOW
Config:
Elapsed Time:
58038 ns

Additional Information
New flow created with id 68481, packet dispatched to next module
Module information for forward flow ...
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_fp_tracer_drop
snp_ifc_stat

INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
| Resolve Preferred Egress interface
Type:
INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype:
Resolve Preferred Egress interface
Result:
ALLOW
Config:
Elapsed Time:
26174 ns

Additional Information
Found next-hop 172.16.230.19 using egress ifc DMZ_POD2_EXT(vrfid:2)

Result: drop
Input Interface:
GC2_Outside(vrfid:2)
Input Status:
up
Input Line Status:
up
Output Interface:
DMZ_POD2_EXT(vrfid:2)
Output Status:
up
Output Line Status:
up
Action:
drop
Time Taken:
273685 ns
Drop Reason:
(no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop.
Drop Detail:
Drop-location: frame 0x000000aaad9e1cac flow (NA)/NA
DMZ_POD2_EXT(vrfid:2)

The FTD has not been migrated yet and interfaces are not up. Is this the reason why the error - (no-v4-adjacency) No valid V4 adjacency. Check ARP table (show arp) has entry for nexthop is showing in the packet capture