Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
1
Helpful
6
Replies

FTD Prefilter Question

dcanady55
Level 1
Level 1

‎01-30-2024 07:28 AM

FTD & FMC 7.3

Inside my prefilter policy, I have a few prefilter rules and no tunnel rules, but my default action under tunnel traffic is to analyze all tunnel traffic. The CLI shows there are hits for this traffic, but I'm assuming if there are no rules in my ACP, this traffic would be dropped. How can I prove that's the case? The logging icon next to the default action is grayed out and won't let me log anything, which makes me think you cannot log anything unless you have a tunnel rule. If I grab the rule ID off the CLI and filter for this under unified events, nothing gets returned.

Thanks

 

 

6 Replies 6

MHM Cisco World
VIP
VIP

‎01-30-2024 08:58 AM

FTD 

Outer header check by prefilter (you can fastpath it)

Inner header check by ACP 

Inner header check by Snort 

It seem to me that inner header is allow by ACP.

MHM

0 Helpful

dcanady55
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 12:20 PM

Is there away to verify the packets are being dropped?

0 Helpful

MHM Cisco World
VIP
VIP
In response to dcanady55

‎01-30-2024 01:05 PM

sorry I dont get last reply, 
we talking about tunnel traffic, which tunnel we talk about GRE or other tunnel ?
thanks 
MHM

0 Helpful

dcanady55
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 01:40 PM

maybe this will be helpful. The CLI shows the following rules are being allowed. I don't have any rules like this configured in my fastpath and so they must be defaults. I've read a few other posts on this topic but don't believe I saw any definitive answers. I'm trying to determine if this type of traffic is actually getting through or if its only a few packets before the IPS blocks it. Either way how can I determine this? 

dcanady55_0-1706650669387.png

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to dcanady55

‎01-30-2024 02:02 PM

Prefilter tunnel allow traffic and as I mention the outer IP header is allow by prefilter.

I See GRE so it not encrypt can you check the inner IP header  if you can add ACP rule drop inner ip head (drop with log) and you will see how ACP filter tunnel traffic.

Note:- Ypu can use capture to see inner ip header 

MHM

0 Helpful

Marius Gunnerud
VIP
VIP

‎01-30-2024 03:03 PM

You could run  system support trace and enable firewall-engine-debug in the CLI.  This should show all actions taken by both LINA and SNORT.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card