BugZero | Cisco BugID CSCwd09663 - ENH: FMC capability for logging traffic hitting th...

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Last updated on 9/22/2022

Overall: 3.43.4

Severity: 3.73.7

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 3.43.4

Severity: 3.73.7

Lifecycle: 7.87.8

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

The FMC is not allowed to enable logging for when the traffic is hitting the default Prefilter rule called 'Analyze all tunnel' traffic, this is expected as confirmed in our official docs: Configure the prefilter policy's default action and its logging options. • Default action logging—Click Logging ( ) next to the default action; see Logging Connections with a Policy Default Action in the Firepower Management Center Administration Guide. You can configure default action logging for blocked tunnels only https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html#id_23357 We should have the ´logging´ option available for when traffic is hitting this default prefilter rule 'Analyze all tunnel'. With this change, our customers will be able to confirm when tunneled traffic is being forwarded for further snort inspection.

Conditions

FMC running Prefilter rules with the default ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action.

Workaround

1. FTD captures for confirming if tunneled traffic like GRE, IPinIP, Teredo, etc. is flowing through the device. OR 2. Check the FTD CLI hitcounts for the ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action rules: access-list CSM_FW_ACL_ line 53 remark rule-id 268435499: PREFILTER POLICY: Truist Core Prefilter access-list CSM_FW_ACL_ line 54 remark rule-id 268435499: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 55 advanced permit ipinip any any rule-id 268435499 (hitcnt=0) 0xf5b597d6 access-list CSM_FW_ACL_ line 56 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435499 (hitcnt=0) 0x46d7839e access-list CSM_FW_ACL_ line 57 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435499 (hitcnt=0) 0xaf1d5aa5 access-list CSM_FW_ACL_ line 58 advanced permit 41 any any rule-id 268435499 (hitcnt=0) 0x06095aba access-list CSM_FW_ACL_ line 59 advanced permit gre any any rule-id 268435499 (hitcnt=83) 0x52c7a066

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Last updated on 9/22/2022

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?