Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
3
Replies

Firepower ICMP Application Odd Behaviour

de1denta
Level 3
Level 3

‎04-21-2018 03:52 PM - edited ‎02-21-2020 07:39 AM

Hi All,

 

I was testing a new access control policy with a single rule that permits ICMP application traffic from my inside network to the outside (see attached screenshot).

 

As expected, ICMP traffic such as ping, traceroute etc works without any issues and all other traffic is blocked (default action is to block). However, I tested a telnet to an external Web server that I manage on port 80 from an internal host and the connection opened which was unexpected. I checked the FTD and I could see the corresponding connection (using show conn detail) and the destination server also shows the established connection.

 

Has anyone experienced odd behaviours with the ICMP application detector before?

 

I also checked the behaviour using packet-tracer as follows and the result is a match of  access rule Permit ICMP 

 

> packet-tracer input inside tcp 10.1.31.101 1000 172.16.100.1 80

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop x.x.x.x using egress ifc outside

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip ifc inside any ifc outside any rule-id 268440576
access-list CSM_FW_ACL_ remark rule-id 268440576: ACCESS POLICY: Corporate_Policy - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268440576: L7 RULE: Permit ICMP
Additional Information:
This packet will be sent to snort for additional processing where a verdict will be reached

 

Thanks

 

Labels:
Preview file
39 KB
0 Helpful
3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

‎04-22-2018 04:53 AM

you have a deny any any at the end of your ACL coming into your inside interface.?

 

 

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

de1denta
Level 3
Level 3
In response to Dennis Mink

‎04-22-2018 09:09 AM

Hi Dennis,

 

Sorry this is for a FTD 2100 appliance so the only ACLs I have are within the Access Control Policy. The ACP has a default action of block.


Thanks

0 Helpful

Florin Barhala
Level 6
Level 6

‎04-23-2018 02:05 AM

This sounds close to a bug:
- I would check ICMP app definition in the firewall; I met once a bad definition of ICMP: IP/0 instead of IP/1
- did you previously ping same destination as the one you went for telnet? I would just telnet a "first time destination IP"
- I would make sure the implicit deny entry really works by reading the config or testing with any other app but telnet.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card