Re: Site-to-Site VPN is blocking SMB traffic

nnraymond · ‎08-24-2023

I have our Firepower 4110 successfully connected via a site-to-site VPN to our Meraki MX95 appliance in another location, and things are mostly working however some of the SMB traffic is showing as action "Block", reason "File Block", ingress security zone "inside-internet", egress security zone "outside-internet". This is negatively impacting our ability to use PDQ Inventory and PDQ Deploy to manage our PC workstations across the VPN. Our VPN is running over an interface which is in the "outside-internet" group on the Firepower, but I obviously don't want the traffic inside that VPN connection to be scanned and blocked this way by the Firepower. What steps do I need to take to except that VPN traffic from inspection and blocking?

Rob Ingram · ‎08-24-2023

@nnraymond modify your file policy to ensure traffic from your LAN networks to the remote VPN networks is not inspected. https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/file_policies_and_advanced_malware_protection.html#id_104661

nnraymond · ‎08-24-2023

I believe I have that already set up (I followed the documentation on how to set up a site-to-site VPN, and configuring an Access Control Policy that would allow VPN traffic was part of that). Specifically, under "...-Internet-Outside" the top rule is:

Name: Allow Site-to-Site VPN
Source Zones: Any
Dest Zones: Any
Source Networks: group-inside-networks-vpn, group-[remote]-networks-vpn
Dest Networks: group-inside-networks-vpn, group-[remote]-networks-vpn
VLAN Tags: Any
Users: Any
Applications: Any
Source Ports: Any
Dest Ports: Any
URLs: Any
Source SGT: Any
Dest SGT: Any
Action: Allow

Since group-[remote]-networks-vpn contains the IP address ranges that are cover the traffic in that VPN tunnel, shouldn't this Access Control Policy be exempting that traffic?

nnraymond · ‎08-24-2023

Hmm, I believe I chose "Allow" because that's what the guide said, but now that I think about it, should that instead be "Trust", since "Allow" will mean that intrusion protection and file policies will be applied, and that is likely what is causing the SMB traffic to be affected, correct? (And if so, what was the reasoning behind having it set to "Allow" instead of "Trust"?)

Rob Ingram · ‎08-24-2023

@nnraymond I am referring to the File Policy not the Access Control policy. The File Policy is associated to the Access Control Policy.

nnraymond · ‎08-28-2023

FYI, changing "Allow" to "Trust" on the "Allow Site-to-Site VPN" rule made no difference on the blocks that the Firepower is doing to that traffic.

We have one file policy, and is used by our 1 access control policy. I don't see any place in that file policy where I can create an exception for traffic over that site-to-site connection. There are two rules there:

Application Protocol: Any
Direction of Transfer: Any
Action: Block Malware
Enabled: Spero Analysis for MSEXE, Local Malware Analysis, Reset Connection
Store Files: Malware, Unknown
Categories: Local Malware Analysis, System Files, Graphics, Encoded, PDF files, Executables, Multimedia, Archive, Office Documents

Application Protocol: Any
Direction of Transfer: Any
Action: Block Malware
Enabled: Spero Analysis for MSEXE, Dynamic Analysis, Capacity Handling, Local Malware Analysis, Reset Connection
Store Files: Malware, Unknown, Categories: Dynamic Analysis Capable

Why didn't my alteration of the security policy rule from allow to trust bypass these Malware & File Policies? Is there something I'm supposed to do to the malware and file policies themselves to create an exception for the VPN, and if so, where? The page you linked me to doesn't seem to shed any light on that.

Rob Ingram · ‎08-28-2023

@nnraymond thinking about it, create a new access control rule above the existing rule in the Access Control Policy, which permits the VPN traffic. Do NOT reference the file policy in this new rule, therefore VPN traffic will match the new rule without applying the file policy.