BugZero | Cisco BugID CSCwd09663 - ENH: FMC capability for logging traffic hitting th...

OPERATIONAL DEFECT DATABASE

...

BugZero | Cisco BugID CSCwd09663 - ENH: FMC capability for logging traffic hitting th...

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Last updated on September 22nd, 2022

BugZero Risk Score
3.4 Low

Overall: 3.4

Severity: 3.7

Lifecycle: 7.8

Popularity: 4.6

What is the BugZero Risk Score?

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Bug Details

Description

Symptom

The FMC is not allowed to enable logging for when the traffic is hitting the default Prefilter rule called 'Analyze all tunnel' traffic, this is expected as confirmed in our official docs: Configure the prefilter policy's default action and its logging options. • Default action logging—Click Logging ( ) next to the default action; see Logging Connections with a Policy Default Action in the Firepower Management Center Administration Guide. You can configure default action logging for blocked tunnels only https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/710/management-center-device-config-71/access-prefilter.html#id_23357 We should have the ´logging´ option available for when traffic is hitting this default prefilter rule 'Analyze all tunnel'. With this change, our customers will be able to confirm when tunneled traffic is being forwarded for further snort inspection.

Conditions

FMC running Prefilter rules with the default ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action.

Workaround

1. FTD captures for confirming if tunneled traffic like GRE, IPinIP, Teredo, etc. is flowing through the device. OR 2. Check the FTD CLI hitcounts for the ‘Default Action: Tunnel Traffic’ with ‘Analyze all tunnel traffic’ action rules: access-list CSM_FW_ACL_ line 53 remark rule-id 268435499: PREFILTER POLICY: Truist Core Prefilter access-list CSM_FW_ACL_ line 54 remark rule-id 268435499: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 55 advanced permit ipinip any any rule-id 268435499 (hitcnt=0) 0xf5b597d6 access-list CSM_FW_ACL_ line 56 advanced permit udp any eq 3544 any range 1025 65535 rule-id 268435499 (hitcnt=0) 0x46d7839e access-list CSM_FW_ACL_ line 57 advanced permit udp any range 1025 65535 any eq 3544 rule-id 268435499 (hitcnt=0) 0xaf1d5aa5 access-list CSM_FW_ACL_ line 58 advanced permit 41 any any rule-id 268435499 (hitcnt=0) 0x06095aba access-list CSM_FW_ACL_ line 59 advanced permit gre any any rule-id 268435499 (hitcnt=83) 0x52c7a066

Further Problem Description

Change history

2022-09-22 Added: 6.4.0.15, 6.5.0.5, 6.6.7, 6.7.0.2

Top Cisco Defects

9.7Defect ID: CSCwh87343
Cisco IOS XE Software Web UI Privilege Escalation Vulnerability
9.7Defect ID: CSCwf08698
Cat9k Crashes Unexpectedly due to a Fault in the 'TLSCLIENT_PROCESS'
9.7Defect ID: CSCvm90995
ASR1000-RP2: Rommon fails to boot Cisco IOS software of 1GB size
9.7Defect ID: CSCvx32806
Access Points stuck in bootloop due to image checksum verification failed
9.7Defect ID: CSCwc94466
Cisco ASA/FTD Firepower 2100 SSL/TLS Denial of Service Vulnerability

Cisco Integration

Learn more about where this data comes from

Cisco Integration

Learn more

Bug Scrub Advisor

Streamline upgrades with automated vendor bug scrubs

Bug Scrub Advisor

Learn more

BugZero Enterprise

Wish you caught this bug sooner? Get proactive today.

BugZero Enterprise

Learn more

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Cisco - Defect ID: CSCwd09663

ENH: FMC capability for logging traffic hitting the prefilter 'Analyze all tunnel traffic' rule

Last updated on September 22nd, 2022

BugZero Risk Score3.4 Low

Bug Details

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco Defects

Ready to prevent the next vendor outage?

BugZero Risk Score
3.4 Low