Loading...
Loading...
The FMC is not allowed to enable logging for when the traffic is hitting the default Prefilter rule called 'Analyze all tunnel' traffic, this is expected as confirmed in our official docs: Configure the prefilter policy's default action and its logging options. • Default action logging—Click Logging ( ) next to the default action; see Logging Connections with a Policy Default Action in the Firepower Management Center Administration Guide. You can configure default action logging for blocked tunnels only https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html#id_23357 We should have the ´logging´ option available for when traffic is hitting this default prefilter rule 'Analyze all tunnel'. With this change, our customers will be able to confirm when tunneled traffic is being forwarded for further snort inspection.
FMC running Prefilter rules with the default ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action.
1. FTD captures for confirming if tunneled traffic like GRE, IPinIP, Teredo, etc. is flowing through the device. OR 2. Check the FTD CLI hitcounts for the ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action rules: access-list CSM_FW_ACL_ line 53 remark rule-id 268435499: PREFILTER POLICY: Truist Core Prefilter access-list CSM_FW_ACL_ line 54 remark rule-id 268435499: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 55 advanced permit ipinip any any rule-id 268435499 (hitcnt=0) 0xf5b597d6 access-list CSM_FW_ACL_ line 56 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435499 (hitcnt=0) 0x46d7839e access-list CSM_FW_ACL_ line 57 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435499 (hitcnt=0) 0xaf1d5aa5 access-list CSM_FW_ACL_ line 58 advanced permit 41 any any rule-id 268435499 (hitcnt=0) 0x06095aba access-list CSM_FW_ACL_ line 59 advanced permit gre any any rule-id 268435499 (hitcnt=83) 0x52c7a066
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.