Firepower 6.2 - action block but SYN - SYN/ACK goes through

gthjohansson · ‎03-21-2017

Hello

Though traffic gets blocked we still see SYN-SYN/AVK-ACK go through the Firewall but data did not seem to pass after that

we tried to put a block/block with reset rule at the bottom and to have default action as block all traffic

We took all Application configuration out of access-policy rules

This means that though everything is blocked TCP reconaissance is still possible from the internet

Does anyone have an idea of how to solve this ?

regards

Gudmundur

Oliver Kaiser · ‎03-24-2017

This should only happen if you use Applications within your access control policy. For example if you used an application rule to block file transfer it would be matched initially permitting 3-way handshake to check if the application matches. I would assume you are using FTD correct? If thats the case login via SSH and check which rule matches using packet-tracer.

Claudiu Cismaru · ‎03-26-2017

This happens only when you have a rule, with layer 7 matching on at least one of the App ID or URL which is postponed until the necessary information is gathered.

As the necessary information is on the payload of the TCP flow, definitely this information can't be known until the payload comes in. But you can't check the payload if you don't allow the frames to pass, until you get your necessary data which can be used for decision. If you didn't pass the 3WHS and/or pre decision segments, TCP would not continue, as per it's design.

If you ssh into the sensor and issue: "system support firewall-engine-debug", you'll observe the behavior as described above.