BugZero | Cisco BugID CSCwi95784 - Prefilter Policy is not being deployed to sensor w...

Cisco - Defect ID: CSCwi95784

Prefilter Policy is not being deployed to sensor with chained ACP

Cisco - Defect ID: CSCwi95784

Prefilter Policy is not being deployed to sensor with chained ACP

Last updated on 1/6/2025

Overall: 5.85.8

Severity: 6.46.4

Lifecycle: 5.25.2

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Overall: 5.85.8

Severity: 6.46.4

Lifecycle: 5.25.2

Popularity: 4.64.6

What is the BugZero Risk Score?

Vendor details

No defect details.

Symptom

When having Parent(base)-Child Access Control Policy and assign a Prefilter rule with inheritance, access-lists from prefilter are not being deployed to the sensor. Setting Inheritance with base policy with Parent, enabled or disable Fastpath checkbox, will not work as well Defective Scenario: 1. Configure a Parent Policy 2. Configure a Child policy with a Parent (base) policy pointing to ACP on step 1 3. Create a Prefilter with a rule (ex. Fastpath Any Any) 4. Attach Prefilter policy to the Parent Policy 5. Deploy Additionally: Setting Inheritance with base policy with Parent, enabled or disable Fastpath checkbox, will not work as well On CLI, it is possible to observe that the rules were not deployed with the follow command: > show access-list (No prefilter rules are deployed) access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list CSM_FW_ACL_; 6 elements; name hash: 0x4a69e3f3 access-list CSM_FW_ACL_ line 1 remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ line 2 remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 3 advanced permit ipinip any any rule-id 9998 (hitcnt=0) 0xf5b597d6 Expected Behaviour 1. Configure a Parent Policy 2. Configure a Child policy with a Parent (base) policy pointing to ACP on step 1 3. Create a Prefilter with a rule (ex. Fastpath Any Any) 4. Attach Prefilter policy to the Parent Policy 5. Deploy On CLI, it is possible to observe that the rules were deployed with the follow command: > show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list CSM_FW_ACL_; 8 elements; name hash: 0x4a69e3f3 access-list CSM_FW_ACL_ line 1 remark rule-id 268434439: PREFILTER POLICY: TAC-Test-Prefilter <-- Configured OK access-list CSM_FW_ACL_ line 2 remark rule-id 268434439: RULE: RulePrefilter#1

Conditions

1. Parent-Child Policy Access Control Policy (ACP) chain 2. Inheritance Settings pointing a parent (base) policy (enabled or disabled - would not work)

Workaround

1. Enable child policy use a Prefilter under advanced Settings 2. Configure Inheritance Settings for a Child policy and on Select Base Policy, select None 2.1 Select a Prefilter Rule specific to the Child policy 3. Use a single policy configuration and attach a Prefilter policy

Further Problem Description

Original Vendor Announcement

9.65Defect ID: CSCwd45843
Auth Step latency for policy evaluation due to Garbage Collection activity.
9.65Defect ID: CSCwa92734
CUBE DTMF interworking fails from rtp-nte to OOB SIP methods
9.65Defect ID: CSCwj45822
Cisco ASA and FTD Software Remote Access VPN Brute Force Denial of Service Vulnerability
9.65Defect ID: CSCvo03458
PKI "revocation check crl none" does not fallback if CRL not reachable
9.65Defect ID: CSCvq05584
Cisco IOS and IOS XE Software Tcl Arbitrary Code Execution Vulnerability

Ready to prevent the next vendor outage?

Get a demo

OPERATIONAL DEFECT DATABASE

Cisco - Defect ID: CSCwi95784

Prefilter Policy is not being deployed to sensor with chained ACP

Cisco - Defect ID: CSCwi95784

Prefilter Policy is not being deployed to sensor with chained ACP

Last updated on 1/6/2025

Vendor details

Vendor details

Description

Symptom

Conditions

Workaround

Further Problem Description

Links

Top Cisco defects by risk score

Ready to prevent the next vendor outage?