01-11-2021 01:56 PM - last edited on 01-13-2021 10:12 PM by Jimena Saez
Español | Português | Français | Русский | 日本語 | 简体中文 |
This event is a chance to discuss about Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) regarding products, management, installation, configuration, implementation, use, and integration with other devices within your network. Learn the best practices to make the most of the advanced firewall settings, as well as the best practices to troubleshoot its common issues. This forum event works well as an introduction for those who are not familiar with the security tools and have recently started using them.
To participate in this event, please use the button below to ask your questions
Ask questions from Tuesday, January 12 to Friday, January 22, 2021
For more information, visit the Security Discussions category.
Find further events on Security Events list.
01-27-2021 09:30 PM
Hello Namit,
I really appreciate your reply. Got it. I have enabled the option you mentioned and then I was able to add my local user in an Access Control Policy
Please correct me if I am wrong. In order Access Control Policy for local users takes place, I disabled the "Bypass Access Control policy for decrypted traffic (sysopt permit-vpn)" in the Remote Access VPN configuration, and it worked.
But when I disabled this option, it removed the "sysopt permit-vpn" from the global config , so it impacted my VPNs site to site, that I have, as well, in the device. Is this an expected behavior?
I will really appreciate your help, again
02-02-2021 12:53 PM
Hi. You are right that is a global setting which is applicable for all types of VPN connections ( Site to Site and Remote Access VPN ). It is the same behaviour as ASA where enabling/disabling that command had impact on Remote Access and Site to Site VPN connections. I understand that this can be confusing as it is available as a setting in the Remote Access VPN Wizard. I have made a note of this and will work internally to get some improved messaging around it.
Thanks,
Namit
01-22-2021 01:18 PM
In FTD the 'show capture cap_inside packet-number 4 trace' for packet #4 contains the following output:
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 1254, using existing flow
Phase: 4
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow
Result:
input-interface: inside(vrfid:0)
input-status: up
input-line-status: up
Action: allow
What does the 'fast-forward' verdict mean and how this packet is handled in FTD?
Note: This question is a translation of a post originally created in Russian by alsokolov. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
01-22-2021 03:09 PM
The 'fast-forward' verdict means that the packet(s) are NOT sent to the Snort engine and are inspected by the LINA engine only.
Reference:
01-22-2021 02:07 PM
If a connection is allowed by the security policy, which operations and/or features affect the determination of the egress interface for a connection in routed interface mode? If possible, sort them in the order of preference.
Jackson
01-22-2021 03:06 PM
Based on the following operations and/or features the ASA/FTD identifies the egress interface of a connection in routed interface mode:
Existing connection lookup, NAT lookup (destination NAT or UN-NAT), Policy-based routing (PBR), Global routing table lookup.
The correct order is also as shown above.
01-22-2021 03:20 PM
Hi,
I have a question: in FTD the 'show capture cap_inside packet-number 1 trace' for packet #1 contains the following partial output:
Phase: 1
Type: NGIPS-MODE
Subtype: ngips-mode
Result: ALLOW
Config:
Additional Information:
The flow ingressed an interface configured for NGIPS mode and NGIPS services will be applied
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip object 192.0.2.0 object 198.51.100.0 rule-id 268438531 event-log flow-end
...
Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow
What verdict will the Snort engine give for this packet?
Note: This question is a translation of a post originally created in Spanish by Fernando Mondragón. It has been translated by Cisco Community to share the inquiry and its solution in different languages.
01-22-2021 03:28 PM
None, since the access control rule has the 'trust' keyword that indicates a prefiltered policy configuration. This packet will NOT be sent to the Snort engine.
Reference:
https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212321-clarify-the-firepower-threat-defense-acc.html#anc23
01-22-2021 08:27 PM
Hi Cisco Team
I have a situation that needs your assitance.
When creating a user for RAVPN in ASA and locking to a certain connection profile, you need to enter the commands like this:
username BATMAN password R0b!N
username BATMAN attributes
group-lock value BATCAVE
However, on FDM, we have not been able to find a place where we can manipulate the user attributes in the same fashion or a way to limit the Aliases that appear in a per user basis.
Do you have any ideas or solutions to have this accomplished?
Thanks
02-04-2021 10:39 AM
Hi,
As you discovered, currently it is not supported with FDM. There are certain settings that are available through Flex Config CLI. Again, these requirements are sort of based on Local Authentication. Are you using Local authentication for your VPN deployment ?
PS: Excellent choice of username and password
Thanks,
Namit
01-25-2021 07:28 AM
Hi,
In FTD the connection table has the following established connection entry:
firepower# show conn
TCP inside 192.0.2.1:50088 outside 198.51.100.1:443, idle 0:00:00, bytes 5274, flags UIOoN1
If packet captures for this specific connection is configured in Lina and Snort engines and the connection is not idle, which of these captures will have non-zero bytes?
Thank you
Noemi
01-25-2021 10:44 AM
Hi Noemi,
The answer is none, because the connection was offloaded to the hardware, which means the packets will not be reaching the Lina/Snort engines.
The offload status is indicated by the "o" flag in the output above.
Ilkin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: