This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Tuesday, January 12 to Friday, January 22, 2021
I really appreciate your reply. Got it. I have enabled the option you mentioned and then I was able to add my local user in an Access Control Policy
Please correct me if I am wrong. In order Access Control Policy for local users takes place, I disabled the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" in the Remote Access VPN configuration, and it worked.
But when I disabled this option, it removed the "sysopt permit-vpn" from the global config , so it impacted my VPNs site to site, that I have, as well, in the device. Is this an expected behavior?
I will really appreciate your help, again
Hi. You are right that is a global setting which is applicable for all types of VPN connections ( Site to Site and Remote Access VPN ). It is the same behaviour as ASA where enabling/disabling that command had impact on Remote Access and Site to Site VPN connections. I understand that this can be confusing as it is available as a setting in the Remote Access VPN Wizard. I have made a note of this and will work internally to get some improved messaging around it.
In FTD the 'show capture cap_inside packet-number 4 trace' for packet #4 contains the following output:
MAC Access list
MAC Access list
Found flow with id 1254, using existing flow
Snort Verdict: (fast-forward) fast forward this flow
What does the 'fast-forward' verdict mean and how this packet is handled in FTD?
Note: This question is a translation of a post originally created in Russian by alsokolov. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
The 'fast-forward' verdict means that the packet(s) are NOT sent to the Snort engine and are inspected by the LINA engine only.
If a connection is allowed by the security policy, which operations and/or features affect the determination of the egress interface for a connection in routed interface mode? If possible, sort them in the order of preference.
Based on the following operations and/or features the ASA/FTD identifies the egress interface of a connection in routed interface mode:
Existing connection lookup, NAT lookup (destination NAT or UN-NAT), Policy-based routing (PBR), Global routing table lookup.
The correct order is also as shown above.
I have a question: in FTD the 'show capture cap_inside packet-number 1 trace' for packet #1 contains the following partial output:
The flow ingressed an interface configured for NGIPS mode and NGIPS services will be applied
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip object 192.0.2.0 object 198.51.100.0 rule-id 268438531 event-log flow-end
What verdict will the Snort engine give for this packet?
Note: This question is a translation of a post originally created in Spanish by Fernando Mondragón. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
None, since the access control rule has the 'trust' keyword that indicates a prefiltered policy configuration. This packet will NOT be sent to the Snort engine.
Hi Cisco Team
I have a situation that needs your assitance.
When creating a user for RAVPN in ASA and locking to a certain connection profile, you need to enter the commands like this:
username BATMAN password R0b!N
username BATMAN attributes
group-lock value BATCAVE
However, on FDM, we have not been able to find a place where we can manipulate the user attributes in the same fashion or a way to limit the Aliases that appear in a per user basis.
Do you have any ideas or solutions to have this accomplished?
As you discovered, currently it is not supported with FDM. There are certain settings that are available through Flex Config CLI. Again, these requirements are sort of based on Local Authentication. Are you using Local authentication for your VPN deployment ?
PS: Excellent choice of username and password
In FTD the connection table has the following established connection entry:
firepower# show conn
TCP inside 192.0.2.1:50088 outside 198.51.100.1:443, idle 0:00:00, bytes 5274, flags UIOoN1
If packet captures for this specific connection is configured in Lina and Snort engines and the connection is not idle, which of these captures will have non-zero bytes?
The answer is none, because the connection was offloaded to the hardware, which means the packets will not be reaching the Lina/Snort engines.
The offload status is indicated by the "o" flag in the output above.