FTD 6.6.5
We've got a "Block" ACL based on source networks that's somehow being bypassed, but only for a single group of source networks in the ACL. Support tech couldn't find any explanation, and suggested we run a system support trace.
The only problem is that the network object being bypassed is a /22 CIDR range. I've tried entering both a range x.x.x.x-y.y.y.y and the x.x.x.x/22 when prompted to "Please specify a client IP address." It wants an individual IP address. The adversary isn't using the same address twice. So to figure out what's going on here, it seems my only two options are to either successfully guess which address they're going to use next, or to launch a thousand system support traces at once.
Are there any other ideas for actually capturing this traffic? Some trick I'm missing?