Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1901
Views
3
Helpful
2
Replies

FTD Application Block

Go to solution
dcanady55
Level 3
Level 3

‎04-11-2023 08:27 AM

Hello,

I recently had some very high traffic by application risk come through, and I blocked this application A in my ACP. The first rule of this ACP is application blocks. Few days go by and dashboards show very high again, and when I open up context explorer, there's the application A I blocked. When I drill into the analysis and look at one of the connections in the application protocol, it shows QUIC, and under the client section, it shows the application A I blocked previously. I am looking into blocking QUIC, but I don't understand: if QUIC is using encryption so that the FTD does not see the application A I'm trying to block, how does the FTD know its the "client" and why is it not taking action to block this traffic?

Thanks,

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-11-2023 12:07 PM

Would need to see the full logs to tell where FTD is detecting the app. In general what FW vendors are doing is blocking QUIC so that the browsers fallback to TLS so that they can decrypt it. On FTD newer versions, Encrypted Visibility Engine was added which has the ability to detect apps and processes without decrypting the traffic (https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine). EVE will continue to increase the amount of apps it can detect. You can see this video to understand how EVE works and also look at the rule is often configured to block QUIC.  
https://www.youtube.com/watch?v=0w-uozqq_gs

View solution in original post

https://www.youtube.com/watch?v=0w-uozqq_gs
youtube.com/watch?v=0w-uozqq_gs
In this video, Alex takes us through Edge Protection: Handling encrypted traffic (EVE, Server Identity, TLS1.3, QUIC) and Application Visibility / Control Timestamps: 0:05 - Enabling Encrypted Visibility Engine & TLS Server Identity 1:45 - Access Control Rules & Add Rule 3:59 - Application ...
2 Replies 2

Go to solution
MHM Cisco World
VIP
VIP

‎04-11-2023 08:40 AM

I know little about FTD but I will share with you all I know 
AppID.png
there is AppID in FTD traffic flow and it check the AppID before and after SSL encryption. 

Go to solution
Gustavo Medina
Cisco Employee
Cisco Employee

‎04-11-2023 12:07 PM

Would need to see the full logs to tell where FTD is detecting the app. In general what FW vendors are doing is blocking QUIC so that the browsers fallback to TLS so that they can decrypt it. On FTD newer versions, Encrypted Visibility Engine was added which has the ability to detect apps and processes without decrypting the traffic (https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine). EVE will continue to increase the amount of apps it can detect. You can see this video to understand how EVE works and also look at the rule is often configured to block QUIC.  
https://www.youtube.com/watch?v=0w-uozqq_gs

https://www.youtube.com/watch?v=0w-uozqq_gs
youtube.com/watch?v=0w-uozqq_gs
In this video, Alex takes us through Edge Protection: Handling encrypted traffic (EVE, Server Identity, TLS1.3, QUIC) and Application Visibility / Control Timestamps: 0:05 - Enabling Encrypted Visibility Engine & TLS Server Identity 1:45 - Access Control Rules & Add Rule 3:59 - Application ...
Customers Also Viewed These Support Documents