Ever since we moved to the new NGFWs, the way our ACPs are setup and ordered, outside scans show ports open because of the way FTD processes rules. Due to it processing a layer 7 rule, it passes the traffic to SNORT for evaluation and therefore it lets some packets through before it actually blocks the connection. I understand that, and that is documented. However, the unfortunate result of that is that scans or tests will show ports as potentially open, even when they're not.
We've tested this with ports that show as open on the scan. We can't ever make a successful connection, but the scan thinks it's open because a few packets are let through at first instead of it being blocked since it takes time for the firewall to evaluate the traffic.
We've called TAC and they told us that our rules are ordered correctly and that it is just the way it works. I understand that, but is there any way to avoid having those ports show as "open" when they're actually not, other than somehow avoiding layer 7 rules, which isn't an option at this point? We're getting a penetration test done in a little bit, and I'm concerned that the report is going to come back showing all of these vulnerabilities since the ports appear open when they're actually not. Has anyone run into something like this, or is it possible we have a misconfiguration somewhere? Hope that all makes sense.
I guess to sum it up, should a scan/test show ports as potentially open in the situation where a layer7 rules has to be analyzed by the SNORT engine, which causes the firewall to pass a few packets through before everything is blocked?