04-08-2022 09:46 PM - edited 04-09-2022 06:57 PM
Good day everyone
We have a FTD and in our FMC logs we are seeing something weird.
We blocked an IP address in security intelligence and in some logs it's blocked, but then there are connections which are allowed by file monitor.
I've attached the logs, can anyone help me on this?
Thanks in advance
04-11-2022 01:24 AM
Looking into your logs you are hitting the Snort Process L3SI (Security Intel) where we noted that packet is block due to the SI rule (custom rule) later we see the traffic is allow with same source and destin. Looking at the below Snort Process diagram the File Policy is well far away. if the initiator IP is the Public IP address it should be hitting the SI intel but it clearly not.
Cisco recommends that you enable Reset Connection for the Block Files and Block Malware actions to prevent blocked application sessions from remaining open until the TCP connection resets. If you do not reset connections, the client session will remain open until the TCP connection resets itself.
could you create a rule in access-control-list (ACL) Policies->Access Control->Access Control Policy->here edit your existing control policy
Create a new control policy and set a new rule with action either block or block with reset. leave the zone do not touch it. at networks create a network with block ip address and call it in Add to source Networks your block ip object and also call it in Add to Destination once this done. call your internal network on Add to Source Networks and Add to Destination. by doing this either initiator either your local network or your Public IP will be block in both way. also enable the logging at log at the beginning of connection.
04-12-2022 06:35 AM
Thank you for your answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide