Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

CSA 5.2 (245) Network access control rule's priority

Hello!

I have a problem with the priority of network access control rules.

As default all network connections are denied by CSA on our machines. And network access rules with the action "priority allow" allows needed applications access network. So the CSA works as the firewall on our workstations and servers.

But some time ago I have noticed that network access "priority allow" rules doesn't work. All connections are refused with the default network access "deny" rules though there are "priority allow" rules for these particular applications. So now I turn all CSAgents into test mode, but this is not the way out.

Please, help to solve this problem.

5 REPLIES
Blue

Re: CSA 5.2 (245) Network access control rule's priority

Is it all hosts and if not, has the system state changed on any of these hosts?

Tom

New Member

Re: CSA 5.2 (245) Network access control rule's priority

Hello!

I needed some time to look more carefully on this question. According to our policy there are deny network access control rules for acting as a server only (not for acting as a client). So I monitored network access rules for all hosts and have detected that such trouble happened for all hosts during connections as a server.

System state is set to "Apply this rule module regardless of any state conditions" and I haven't changed it.

Blue

Re: CSA 5.2 (245) Network access control rule's priority

Hello Ann

Let's see if I have this straight:

You added some NAC allow rules to permit all hosts to accept connections as a server for certain applications and it isn't working as you expected it to. Is that right?

If so, did it ever work right or is this something new?

Tom

New Member

Re: CSA 5.2 (245) Network access control rule's priority

Hello, Tom!

Yes, that's right.

Such things are new. I thought about there reason, wached logs. As I think the only reason it can be the hotfix 5.2.0.245, that I have installed not so much time ago. And since that troubles began. With the version of CSA MC 5.2.0.238 everyhting worked correctly.

Ann

Blue

Re: CSA 5.2 (245) Network access control rule's priority

Hi Ann, it may be that the exceptions you created were for old groups and policies and aren't associated with the new ones.

Applying a hotfix will usually create new groups, policies and rule modules if the old ones have been modified and it doesn't always associate exceptions with the new ones.

If that's the case you'll need to either move the exceptions to a rule module that applies to your current groups or create new exceptions.

I have all my exceptions in a separate policy just for this reason.

HTH

Tom

277
Views
0
Helpful
5
Replies
CreatePlease to create content