BugZero | Cisco BugID CSCwe84403 - DOC: system support firewall-engine-debug shows ve...

Cisco - Defect ID: CSCwe84403

DOC: system support firewall-engine-debug shows very little output with empty ACP in Global domain

Cisco - Defect ID: CSCwe84403

DOC: system support firewall-engine-debug shows very little output with empty ACP in Global domain

Last updated on 4/20/2023

Overall: 5.65.6

Severity: 6.46.4

Lifecycle: 44.0

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 5.65.6

Severity: 6.46.4

Lifecycle: 44.0

Popularity: 3.73.7

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

When using an Access Control Policy (ACP) with only a default action (no rules) and the ACP is in the Global domain while the device is in a child domain, the system support firewall-engine-debug output shows very little info. > system support firewall-engine-debug Please specify an IP protocol: tcp Please specify a client IP address: Please specify a client port: Please specify a server IP address: Please specify a server port: Monitoring firewall engine debug messages 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower Connection closure: 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Got end of flow event from hardware with flags 00000000 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0 With Snort2 the above output is completely empty. While after adding one rule the debug output shows much more info as expected: 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 New firewall session 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 using HW or preset rule order 2, 'New-Rule-#1-ALLOW', action Allow and prefilter rule 0 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 allow action 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower The above should be documented in the FTD Command Reference.

Conditions

When the ACP is empty with default as (e.g., Balanced Security and Connectivity) and in Policies -> Access Control -> Policy Editor -> Advanced Settings, "Intrusion Policy used before Access Control rule is determined " is also the same (e.g., Balanced Security and Connectivity) , firewall evaluation is not required. Thus, the output of the 'system support firewall-engine-debug' is empty (or shows only 1 line).

Workaround

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwe84403

DOC: system support firewall-engine-debug shows very little output with empty ACP in Global domain

Cisco - Defect ID: CSCwe84403

DOC: system support firewall-engine-debug shows very little output with empty ACP in Global domain

Last updated on 4/20/2023

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?