system support firewall-engine-debug shows rules being bypassed

babiojd01 · ‎01-17-2022

It appears this particular firewall is not acknowledging the last rule prior to default action. Its the only firewall in our fleet ignoring that rule. I test all other firewalls and confirmed they are matching. I made sure the zones are applied to interfaces. Not sure what i am missing. Running 7.0.1 version of FDM/FTD

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 1122, payload 1423, client 1296, misc 0, user 9999997, url self.events.data.microsoft.com, host self.events.data.microsoft.com, no xff

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'Permit VPN 1', dst network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 2, 'Permit VPN 2', src network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 match rule order 3, 'Default Action', action Allow

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 allow action

Marius Gunnerud · ‎01-18-2022

Is there an interface associated with the outside_zone for that FTD?

If there is, perhaps there is something in snort that is allowing the traffic, Have a look at system support trace in the CLI

--
Please remember to select a correct answer and rate helpful posts