Loading...
Loading...
When using an Access Control Policy (ACP) with only a default action (no rules) and the ACP is in the Global domain while the device is in a child domain, the system support firewall-engine-debug output shows very little info. > system support firewall-engine-debug Please specify an IP protocol: tcp Please specify a client IP address: Please specify a client port: Please specify a server IP address: Please specify a server port: Monitoring firewall engine debug messages 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower Connection closure: 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Got end of flow event from hardware with flags 00000000 192.0.2.5 52732 -> 192.0.2.50 80 6 AS=0 ID=26 GR=1-1 Rule Match Data: rule_id 0, rule_action 0 rev_id 0, rule_flags 0 With Snort2 the above output is completely empty. While after adding one rule the debug output shows much more info as expected: 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 New firewall session 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 app event with client no change, service no change, payload no change, referred no change, misc no change, url no change, tls host no change, bits 0x1 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 using HW or preset rule order 2, 'New-Rule-#1-ALLOW', action Allow and prefilter rule 0 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 allow action 192.0.2.5 52730 -> 192.0.2.50 80 6 AS=0 ID=17 GR=1-1 InsightUrlListEventHandler: No active URL entries 192.0.2' repeated 1 times, suppressed by syslog-ng on firepower The above should be documented in the FTD Command Reference.
When the ACP is empty with default as (e.g., Balanced Security and Connectivity) and in Policies -> Access Control -> Policy Editor -> Advanced Settings, "Intrusion Policy used before Access Control rule is determined " is also the same (e.g., Balanced Security and Connectivity) , firewall evaluation is not required. Thus, the output of the 'system support firewall-engine-debug' is empty (or shows only 1 line).
Cisco Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.