04-21-2018 03:52 PM - edited 02-21-2020 07:39 AM
Hi All,
I was testing a new access control policy with a single rule that permits ICMP application traffic from my inside network to the outside (see attached screenshot).
As expected, ICMP traffic such as ping, traceroute etc works without any issues and all other traffic is blocked (default action is to block). However, I tested a telnet to an external Web server that I manage on port 80 from an internal host and the connection opened which was unexpected. I checked the FTD and I could see the corresponding connection (using show conn detail) and the destination server also shows the established connection.
Has anyone experienced odd behaviours with the ICMP application detector before?
I also checked the behaviour using packet-tracer as follows and the result is a match of access rule Permit ICMP
> packet-tracer input inside tcp 10.1.31.101 1000 172.16.100.1 80
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc inside any ifc outside any rule-id 268440576
access-list CSM_FW_ACL_ remark rule-id 268440576: ACCESS POLICY: Corporate_Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268440576: L7 RULE: Permit ICMP
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached
Thanks
04-22-2018 04:53 AM
you have a deny any any at the end of your ACL coming into your inside interface.?
04-22-2018 09:09 AM
Hi Dennis,
Sorry this is for a FTD 2100 appliance so the only ACLs I have are within the Access Control Policy. The ACP has a default action of block.
Thanks
04-23-2018 02:05 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide