Loading...
Loading...
When using an Access Control Policy (ACP) with only a default action (no rules) and the ACP is in the Global domain while the device is in a child domain, the system support firewall-engine-debug output shows very little info. > system support firewall-engine-debug Please specify an IP protocol: tcp Please specify a client IP address: Please specify a client port: Please specify a server IP address: Please specify a server port: Monitoring firewall engine debug messages 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower Connection closure: 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Got end of flow event from hardware with flags 00000000 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0 With Snort2 the above output is completely empty. While after adding one rule the debug output shows much more info as expected: 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 New firewall session 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 using HW or preset rule order 2, 'New-Rule-#1-ALLOW', action Allow and prefilter rule 0 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 allow action 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower The above should be documented in the FTD Command Reference.
When the ACP is empty with default as (e.g., Balanced Security and Connectivity) and in Policies -> Access Control -> Policy Editor -> Advanced Settings, "Intrusion Policy used before Access Control rule is determined " is also the same (e.g., Balanced Security and Connectivity) , firewall evaluation is not required. Thus, the output of the 'system support firewall-engine-debug' is empty (or shows only 1 line).
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.