Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
5
Helpful
6
Replies

unknown IPs in FTD outbound logs

tato386
Level 6
Level 6

‎04-20-2024 02:35 PM - edited ‎04-20-2024 02:37 PM

I am managing FTD-1120s with FMCv both running v7.2.1 software.  In my ACP I have a GEO rule to block all outbound traffic to China, Russia, and I few other "hotspots".   When I search for events that match this rule, most of the traffic is from internal private IPs going out on TCP/443 and these connections are blocked as expected.   However, I also see many connections for IPs that are not internal private IPs and neither do they belong to any of our public IP blocks.  How do these packets from IPs that are not on any of our networks being routed or otherwise somehow making it to our FTD public interfaces?  Sometimes the FTD tries to route the packets from one ISP interface to another ISP interface but weirder still sometimes the "egress" interface is one of our internal interfaces.   So why would the FTD want to route some random and unknown IP to an internal interface?  I have attached a sample with our internal interface redacted for privacy.

TIA,

Preview file
148 KB
6 Replies 6

Aref Alsouqi
VIP
VIP

‎04-23-2024 01:49 AM

That is very interesting and I would suggest raising it with TAC as it seems to be a buggy behaviour.

tato386
Level 6
Level 6

‎04-23-2024 11:16 AM

yeah, definitely gonna do that.  thx

0 Helpful

MHM Cisco World
VIP
VIP

‎04-23-2024 11:19 AM

I will try help you to detect the issue' but sorry if my reply is take time' I am busy this day.

Anyway' 

Are you use any proxy ?

MHM

tato386
Level 6
Level 6

‎04-23-2024 11:30 AM

 I do not use proxies, but I do use PBR to override default gateway and send certain IPs/subnets out the 2nd ISP using an ACL and Flexconfig.

BTW, I appreciate any help you can give me so don't about how long it takes.  

Thanks

MHM Cisco World
VIP
VIP
In response to tato386

‎04-23-2024 11:35 AM

Select IP appear in event view'

Use packet-tracer and see if the route-lookup is use pbr or RIB

MHM

tato386
Level 6
Level 6

‎04-23-2024 01:21 PM

The traces do not seem consistent with event logs on FTD.  I tested with IPs that are shown in the FTD logs as egress being internal interface but trace shows ISP is the egress.  The trace makes more sense than FTD log because it makes sense the packet would be routed to the default gateway and not towards the inside.  I do not see any PBR being applied. 

I also see the inbound packets initially being allowed, then dropped as they try to egress.  I guess this makes sense because the FTD needs to ingest the packet and pass it thru the SNORT engine in order to do the GEO check before it realizes it needs to block it.  Maybe the trace is showing what would have happened to the packet had it not been blocked by SNORT GEO rule?

What still worries me is why/how does traffic with a destination IP that does not belong to me get routed to my public interfaces?  I would understand one ISP having some routing issues but both??

 

Preview file
3 KB
Preview file
3 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card