Symptom
FTD running 6.4.0.4 enforcing traffic based on SGT (IP any any rule, only SGT is used as criteria).
Enforcement is working correctly, FMC correctly shows connection event with Source SGT (see screenshot), however, direct syslog (post-6.3. connection event logging directly from FTD) do not show SGT in the log message.
FW engine-debug for a connection:
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 new firewall session
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 Starting with minimum 2, 'Allow Access', and SrcZone first with zones 6 -> 15, geo 0 -> 0, vlan 0, inline sgt tag: 50100, ISE sgt id: 18, svc 3501, payload 0, client 2000003501, misc 0, user 9999997, icmpType 8, icmpCode 0
xx.xx.xx.xx-8 >xx.xx.xx.xx-0 1 AS 1 I 31 match rule order 2, 'Allow Access', action Allow
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 MidRecovery data sent for rule id: 268444838,rule_action:2, rev id:210947934, rule_match flag:0x2
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 HitCount data sent for rule id: 268444838,
xx.xx.xx.xx-8 > xx.xx.xx.xx-0 1 AS 1 I 31 allow action
Syslog message on remote syslog server:
AccessControlRuleAction: Allow, SrcIP: xx.xx.xx.xx, DstIP: xx.xx.xx.xx, ICMPType: Echo Request, ICMPCode: No Code, Protocol: icmp, IngressInterface: inside, EgressInterface: outside, IngressZone: inside, EgressZone: outside, Security Group: Unknown, ACPolicy: EMS Datacenter ACP, AccessControlRuleName: Allow Access, Prefilter Policy: Default Prefilter Policy, User: No Authentication Required, Client: ICMP client, ApplicationProtocol: ICMP, ConnectionDuration: 0, InitiatorPackets: 1, ResponderPackets: 1, InitiatorBytes: 86, ResponderBytes: 86, NAPPolicy: Balanced Security and Connectivity
Conditions
FTD with ACP allowing based on SGT Tag
