Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1777
Views
0
Helpful
1
Replies

system support firewall-engine-debug shows rules being bypassed

babiojd01
Level 1
Level 1

‎01-17-2022 06:11 AM

It appears this particular firewall is not acknowledging the last rule prior to default action. Its the only firewall in our fleet ignoring that rule. I test all other firewalls and confirmed they are matching. I made sure the zones are applied to interfaces. Not sure what i am missing. Running 7.0.1 version of FDM/FTD

 

 

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0(xff 0) -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, svc 1122, payload 1423, client 1296, misc 0, user 9999997, url self.events.data.microsoft.com, host self.events.data.microsoft.com, no xff

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 1, 'Permit VPN 1', dst network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 no match rule order 2, 'Permit VPN 2', src network, GEO, FQDN

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 match rule order 3, 'Default Action', action Allow

192.168.4.55 53343 -> 52.182.141.63 443 6 AS=0 ID=1 GR=1-1 allow action

 

acp.png

0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎01-18-2022 07:31 AM - edited ‎01-18-2022 07:31 AM

Is there an interface associated with the outside_zone for that FTD?

If there is, perhaps there is something in snort that is allowing the traffic,  Have a look at system support trace in the CLI

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card