Loading...
Loading...
When having Parent(base)-Child Access Control Policy and assign a Prefilter rule with inheritance, access-lists from prefilter are not being deployed to the sensor. Setting Inheritance with base policy with Parent, enabled or disable Fastpath checkbox, will not work as well Defective Scenario: 1. Configure a Parent Policy 2. Configure a Child policy with a Parent (base) policy pointing to ACP on step 1 3. Create a Prefilter with a rule (ex. Fastpath Any Any) 4. Attach Prefilter policy to the Parent Policy 5. Deploy Additionally: Setting Inheritance with base policy with Parent, enabled or disable Fastpath checkbox, will not work as well On CLI, it is possible to observe that the rules were not deployed with the follow command: > show access-list (No prefilter rules are deployed) access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list CSM_FW_ACL_; 6 elements; name hash: 0x4a69e3f3 access-list CSM_FW_ACL_ line 1 remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ line 2 remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 3 advanced permit ipinip any any rule-id 9998 (hitcnt=0) 0xf5b597d6 Expected Behaviour 1. Configure a Parent Policy 2. Configure a Child policy with a Parent (base) policy pointing to ACP on step 1 3. Create a Prefilter with a rule (ex. Fastpath Any Any) 4. Attach Prefilter policy to the Parent Policy 5. Deploy On CLI, it is possible to observe that the rules were deployed with the follow command: > show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list CSM_FW_ACL_; 8 elements; name hash: 0x4a69e3f3 access-list CSM_FW_ACL_ line 1 remark rule-id 268434439: PREFILTER POLICY: TAC-Test-Prefilter <-- Configured OK access-list CSM_FW_ACL_ line 2 remark rule-id 268434439: RULE: RulePrefilter#1
1. Parent-Child Policy Access Control Policy (ACP) chain 2. Inheritance Settings pointing a parent (base) policy (enabled or disabled - would not work)
1. Enable child policy use a Prefilter under advanced Settings 2. Configure Inheritance Settings for a Child policy and on Select Base Policy, select None 2.1 Select a Prefilter Rule specific to the Child policy 3. Use a single policy configuration and attach a Prefilter policy
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.