cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
639
Views
0
Helpful
1
Replies

system support firewall-engine-debug shows rules being bypassed

babiojd01
Beginner
Beginner

It appears this particular firewall is not acknowledging the last rule prior to default action. Its the only firewall in our fleet ignoring that rule. I test all other firewalls and confirmed they are matching. I made sure the zones are applied to interfaces. Not sure what i am missing. Running 7.0.1 version of FDM/FTD

 

 

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 1122, payload 1423, client 1296, misc 0, user 9999997, url self.events.data.microsoft.com, host self.events.data.microsoft.com, no xff

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'Permit VPN 1', dst network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 2, 'Permit VPN 2', src network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 match rule order 3, 'Default Action', action Allow

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 allow action

 

acp.png

1 Reply 1

Marius Gunnerud
VIP Advisor VIP Advisor
VIP Advisor

Is there an interface associated with the outside_zone for that FTD?

If there is, perhaps there is something in snort that is allowing the traffic,  Have a look at system support trace in the CLI

--
Please remember to select a correct answer and rate helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers