澄清Firepower威胁防御访问控制策略规则动作
Contents
Introduction
本文描述多种动作可用在Firepower威胁防御(FTD)访问控制策略(ACP)和Prefilter策略。此外,每个动作的背景操作与其交互作用一起被检查与其它功能,如流卸载和打开附属连接的协议。
Prerequisites
Requirements
Cisco 建议您了解以下主题:
- 流卸载
- 在可适应的安全工具(ASA)工具上的信息包获取
- 在ASA工具上的信息包跟踪程序
Components Used
本文档中的信息基于以下软件和硬件版本:
- Cisco Firepower 4110威胁防御版本6.2.2 (修造81)
- Firepower管理中心(FMC)版本6.2.2 (修造81)
The information in this document was created from the devices in a specific lab environment.All of the devices used in this document started with a cleared (default) configuration.如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
相关产品
本文可以也与这些一起使用硬件和软件版本:
- ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
- ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
- FPR2100, FPR4100, FPR9300
- VMware (ESXi),亚马逊网站服务(AW),基于内核的虚拟机(KVM)
- 综合服务路由器(ISR)路由模块
- FTD软件版本6.1.x和以后
背景信息
FTD是包括2个主要引擎的一个统一的软件镜像:
- 莉娜引擎
- 喷鼻息引擎
此图显示2个引擎如何呼应:
- 信息包进入入口接口,并且由莉娜引擎处理
- 如果FTD策略需要它信息包由喷鼻息引擎检查
- 喷鼻息引擎返回一个判决(whitelist或黑名单)信息包的
- 莉娜引擎丢弃或转发根据喷鼻息的判决的信息包
ACP如何配置
FTD策略在FMC被配置,当箱外(远程)时管理使用或Firepower设备管理器(FDM),当使用时本地管理。在两种情况下, ACP配置如下:
- 作为CSM_FW_ACL_被命名的全局访问控制表(ACL)对FTD莉娜引擎
- 在/var/sf/detection_engines/UUID/ngfw.rules文件的访问控制(AC)规则对FTD喷鼻息引擎
Configure
ACP可用的动作
FTD ACP包含一个或更多规则,并且每个规则能有一这些动作和如镜像所显示:
- 准许
- 信任
- 监控程序
- 块
- 与重置的块
- 交互块
- 与重置的交互块
同样地, Prefilter策略能包含一个或更多规则,并且可能行动在镜像显示:
ACP和Prefilter策略如何呼应
Prefilter策略在6.1版本和服务获得了介绍2个主要目的:
- 它允许FTD莉娜引擎检查外面IP头隧道流量的检查,当喷鼻息引擎检查内在IP头时。特别地,在隧道流量(即GRE)的情况下在Prefilter策略的规则在outerheaders总是操作,当在ACP的规则总是可适用的对内部的会话时(内部头标)。隧道流量是指这些协议:
- GRE
- IP在IP
- IPv6-in-IP
- 凿船虫端口3544
- 它提供如镜像所显示,允许流完全地绕过喷鼻息引擎的早期的访问控制(EAC)。
Prefilter规则在FTD配置作为L3/L4访问控制元素(ACE)如镜像所显示,和在ACP被配置的L3/L4 ACE上被放置:
ACP块动作
考虑在镜像显示的拓扑:
方案1.早莉娜丢弃
ACP包含使用一个L4情况的一个分块规则(目的地端口TCP 80)如镜像所显示, :
在喷鼻息的被实施的策略:
268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
被实施的策略在莉娜。注意规则被推进和拒绝动作:
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start (hitcnt=0) 0x6149c43c
验证工作情况:
当host-A (192.168.1.40)时设法对host-B (192.168.2.40)开始HTTP会话TCP请同步(SYN)信息包由FTD莉娜引擎丢弃,无需到达喷鼻息引擎或目的地:
firepower# show capture capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 430 bytes] match ip host 192.168.1.40 any capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 0 bytes] match ip host 192.168.1.40 any
firepower# show capture CAPI 1: 11:08:09.672801 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0> 2: 11:08:12.672435 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4063517 0> 3: 11:08:18.672847 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4069517 0> 4: 11:08:30.673610 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4081517 0>
firepower# show capture CAPI packet-number 1 trace
1: 11:08:09.672801 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0>
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L4 RULE: Rule1
Additional Information:
<- No Additional Information = No Snort Inspection
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
由于方案2.的丢弃打鼾判决
ACP包含使用一个L7情况的一个分块规则(应用程序HTTP)如镜像所显示, :
在喷鼻息的被实施的策略:
268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any (appid 676:1)
Appid 676:1 = HTTP
被实施的策略在莉娜。
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786
对于使用应用程序作为情况的分块规则,一个实际信息包的跟踪表示,会话由由于的莉娜下降打鼾引擎判决。
验证工作情况:
当host-A (192.168.1.40)时设法设立与host-B (192.168.2.40)的HTTP会话莉娜入口捕获显示:
firepower# show capture CAPI 8 packets captured 1: 11:31:19.825564 192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0> 2: 11:31:19.826403 192.168.2.40.80 > 192.168.1.40.32790: S 1283931030:1283931030(0) ack 357753152 win 2896 <mss 1380,sackOK,timestamp 5449236 5450579> 3: 11:31:19.826556 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236> 4: 11:31:20.026899 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450781 5449236> 5: 11:31:20.428887 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5451183 5449236> ...
出口捕获:
firepower# show capture CAPO 5 packets captured 1: 11:31:19.825869 192.168.1.40.32790 > 192.168.2.40.80: S 1163713179:1163713179(0) win 2920 <mss 1380,sackOK,timestamp 5450579 0> 2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579> 3: 11:31:23.426049 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5452836 5450579> 4: 11:31:29.426430 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5458836 5450579> 5: 11:31:41.427208 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5470836 5450579>
跟踪表示,第一个信息包(TCP SYN)由喷鼻息允许,因为应用程序检测判决是待定的:
firepower# show capture CAPI packet-number 1 trace 1: 11:31:19.825564 192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0> ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached ... Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 23194, packet dispatched to next module … Phase: 12 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, seq 357753151 AppID: service unknown (0), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 Firewall: pending rule-matching, id 268435461, pending AppID NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet Result: input-interface: OUTSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
同样TCP SYN/ACK信息包:
firepower# show capture CAPO packet-number 2 trace 2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579> … Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 23194, using existing flow … Phase: 5 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, ACK, seq 1283931030, ack 357753152 AppID: service unknown (0), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 Firewall: pending rule-matching, id 268435461, pending AppID NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: INSIDE output-status: up output-line-status: up Action: allow
喷鼻息在检查第三个信息包以后返回丢弃判决:
firepower# show capture CAPI packet-number 3 trace 3: 11:31:19.826556 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236> Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 23194, using existing flow Phase: 5 Type: SNORT Subtype: Result: DROP Config: Additional Information: Snort Trace: Packet: TCP, ACK, seq 357753152, ack 1283931031 AppID: service HTTP (676), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html Firewall: block rule, id 268435461, drop Snort: processed decoder alerts or actions queue, drop NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall Snort Verdict: (black-list) black list this flow Result: input-interface: INSIDE input-status: up input-line-status: up Action: drop Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
您能从FTD CLISH模式也运行system命令支持跟踪。此工具提供2个功能:
- 显示每个信息包的喷鼻息判决,当在莉娜被发送到数据收集库(DAQ)并且被看到。DAQ是组件设置在FTD莉娜引擎和喷鼻息引擎之间
- 准许同时运行系统支持防火墙引擎调试发现什么在喷鼻息引擎内发生
这是输出:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: y Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 2620409313 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 New session 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, ACK, seq 3700371680, ack 2620409314 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, ACK, seq 2620409314, ack 3700371681 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0(0) -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 676, payload 0, client 686, misc 0, user 9999997, url http://192.168.2.40/128k.html, xff 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 match rule order 2, 'Rule1', action Block 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 deny action 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: block rule, 'Rule1', drop 192.168.1.40-32791 > 192.168.2.40-80 6 Snort: processed decoder alerts or actions queue, drop 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Deleting session 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict BLACKLIST 192.168.1.40-32791 > 192.168.2.40-80 6 ===> Blocked by Firewall
摘要
- 配置的ACP块动作获得,因为或者许可证或在取决于规则调节的莉娜拒绝规则
- 如果条件是L3/L4那么莉娜阻拦信息包。在TCP的情况下第一个信息包(TCP SYN)被阻拦
- 如果条件是L7那么信息包转发到进一步检查的喷鼻息引擎。在TCP的情况下,一些个信息包通过FTD允许,直到喷鼻息作出判决。允许的信息包仍然是受根据访问策略>Advanced的闯入策略检查支配> ‘使用的闯入策略,在访问控制规则是确定的’选项前。
ACP允许动作
方案1. ACP允许动作(L3/L4情况)
通常,您会配置一个允许规则指定另外的检验类似闯入策略和文件策略。在这里此第一个方案中,当L3/L4情况适用时,被展示允许规则的操作。
如镜像所显示,考虑此拓扑:
此策略适用如镜像所显示:
在喷鼻息的被实施的策略。注意规则配置作为允许动作:
# Start of AC rule. 268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
策略在莉娜。
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=1) 0x641a20c3
为了看到匹配一个允许规则的流如何由那里FTD处理请是一些个方式:
- 验证喷鼻息统计数据
- 使用使用系统支持请跟踪CLISH工具
- 使用使用捕获与跟踪在莉娜和可选地与在喷鼻息引擎的捕获数据流
莉娜捕获与喷鼻息捕获数据流:
验证工作情况:
清除喷鼻息统计数据, enable (event)从CLISH的系统支持跟踪并且起动从host-A (192.168.1.40)的HTTP流对host-B (192.168.2.40)。所有信息包转发到喷鼻息引擎并且由喷鼻息获得PASS判决:
firepower# clear snort statistics
> system support trace Please specify an IP protocol: Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, seq 361134402 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, ACK, seq 1591434735, ack 361134403 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, ACK, seq 361134403, ack 1591434736 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
喷鼻息统计数据反射上述喷鼻息PASS判决:
> show snort statistics Packet Counters: Passed Packets 54 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 ...
被传递的信息包=由喷鼻息引擎检查
方案2. ACP允许动作(L3-7情况)
当允许规则配置如下时,相似的工作情况被看到。
如镜像所显示的仅一个L3/L4条件:
一个L7条件(即闯入策略、文件策略,应用程序等)如镜像所显示:
摘要
为了总结,这是流如何由在FP4100/9300配置的FTD处理如镜像所显示时,当允许规则被匹配:
方案3.喷鼻息快速运送判决与准许
有FTD喷鼻息egnine产生一个WHITELIST判决(快速运送)的特定方案,并且流的其余被卸载到莉娜引擎(在某些情况下然后被卸载对HW Accelarator - SmartNIC)。这些是:
- 与信任动作的访问控制策略
- 没有被配置的SSL策略的SSL流量
- FILE检测策略
- 智能应用程序bypass(IAB)
以上可以形象化对:
或者在某些情况下对:
要点
- 允许规则在喷鼻息在莉娜配置和准许并且允许
- 在许多情况下,转发会话的所有信息包打鼾另外的检查的引擎
请使用案件
当您由喷鼻息引擎需要L7检查例如时,您会配置一个允许规则:
- 闯入策略
- 文件策略
ACP信任动作
方案1. ACP信任动作(L3/L4情况)
如果不要适用任何L7动作在喷鼻息级别(即闯入策略、文件策略、应用程序检测、URL过滤,安全智能等)那么在您的规则推荐使用信任动作。
如镜像所显示,考虑拓扑:
此策略适用如镜像所显示:
信任规则,在FTD喷鼻息引擎配置:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
在FTD莉娜的规则:
access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=0) 0x641a20c3
验证工作情况:
起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40),当您运行系统支持跟踪CLI工具时。只有转发打鼾引擎的一个信息包(TCP SYN)。喷鼻息引擎发送到莉娜根本卸载流其余对莉娜的WHITELIST判决:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 69186463 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST
莉娜捕获显示流哪些通过它:
> show capture CAPI 29 packets captured 1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0> 2: 19:14:29.215549 192.168.2.40.80 > 192.168.1.40.32791: S 413254738:413254738(0) ack 69186464 win 2896 <mss 1380,sackOK,timestamp 3137895 3139222> 3: 19:14:29.215687 192.168.1.40.32791 > 192.168.2.40.80: P 69186464:69186662(198) ack 413254739 win 2920 <nop,nop,timestamp 3139223 3137895> 4: 19:14:29.216038 192.168.2.40.80 > 192.168.1.40.32791: . 413254739:413256107(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223> 5: 19:14:29.216053 192.168.2.40.80 > 192.168.1.40.32791: P 413256107:413257475(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223> 6: 19:14:29.216144 192.168.1.40.32791 > 192.168.2.40.80: . ack 413257475 win 2736 <nop,nop,timestamp 3139224 3137896> 7: 19:14:29.216251 192.168.2.40.80 > 192.168.1.40.32791: P 413257475:413258843(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139224> …
当您跟踪第一个信息包时,您能看到WHITELIST判决:
firepower# show capture CAPI packet-number 1 trace 1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0> … Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 12 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, seq 69186463 AppID: service unknown (0), application unknown (0) Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow
对于流(即TCP SYN/ACK)的其余您看到:
firepower# show capture CAPO packet-number 2 trace 2: 19:14:29.215503 192.168.2.40.80 > 192.168.1.40.32791: S 60351089:60351089(0) ack 1577779944 win 2896 <mss 1460,sackOK,timestamp 3137895 3139222> … Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 25353, using existing flow Phase: 4 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (fast-forward) fast forward this flow
喷鼻息统计数据确认此:
> show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 1 Blacklisted Flows 0 ... 0
喷鼻息级的捕获也确认此:
> capture-traffic Please choose domain to capture traffic from: 0 - management0 1 - Router Selection? 1 Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: -n 19:04:17.429711 IP 192.168.1.40.32791 > 192.168.2.40.80: Flags [S], seq 69186463, win 2920, options [mss 1380,sackOK,TS val 2527484 ecr 0], length 0
方案2. ACP信任动作(L7情况)
如镜像所显示,认为此ACP规则:
规则,在FTD喷鼻息引擎配置:
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any (appid 676:1)
在FTD莉娜的规则:
access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786
验证工作情况
起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40),当您运行系统支持跟踪CLI工具时。有发送打鼾引擎和获得PASS判决的一些个信息包(2在这种情况下),当AppID是待定的时。在喷鼻息以后确定寄WHITELIST判决给莉娜的应用程序,并且流的其余由莉娜处理:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, seq 3970971741 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, ACK, seq 18638120, ack 3970971742 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, ACK, seq 3970971742, ack 18638121 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/16k.html 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST
莉娜捕获表示,信息包# 3有HTTP GET方法:
firepower# show capture CAPI dump 1: 11:24:38.895888 192.168.1.40.32836 > 192.168.2.40.80: S 3970971741:3970971741(0) win 2920 <mss 1460,sackOK,timestamp 320516154 0> 0x0000 2c33 118d 570e 00c0 a801 2800 0800 4500 ,3..W.....(...E. 0x0010 0038 c03d 0000 4006 35e2 c0a8 0128 c0a8 .8.=..@.5....(.. 0x0020 0228 8044 0050 ecb0 385d 0000 0000 9002 .(.D.P..8]...... 0x0030 0b68 630e 0000 0204 05b4 0402 080a 131a .hc............. 0x0040 b03a 0000 0000 .:.... 2: 11:24:38.896682 192.168.2.40.80 > 192.168.1.40.32836: S 18638120:18638120(0) ack 3970971742 win 2896 <mss 1380,sackOK,timestamp 320514827 320516154> 0x0000 00c0 a801 2800 2c33 118d 570e 0800 4500 ....(.,3..W...E. 0x0010 0038 1d1e 0000 4006 d901 c0a8 0228 c0a8 .8....@......(.. 0x0020 0128 0050 8044 011c 6528 ecb0 385e 9012 .(.P.D..e(..8^.. 0x0030 0b50 3efb 0000 0204 0564 0402 080a 131a .P>......d...... 0x0040 ab0b 131a b03a .....: 3: 11:24:38.896849 192.168.1.40.32836 > 192.168.2.40.80: P 3970971742:3970971940(198) ack 18638121 win 2920 <nop,nop,timestamp 320516155 320514827> 0x0000 2c33 118d 570e 00c0 a801 2800 0800 4500 ,3..W.....(...E. 0x0010 00fa c03e 0000 4006 351f c0a8 0128 c0a8 ...>..@.5....(.. 0x0020 0228 8044 0050 ecb0 385e 011c 6529 8018 .(.D.P..8^..e).. 0x0030 0b68 0f62 0000 0101 080a 131a b03b 131a .h.b.........;.. 0x0040 ab0b 4745 5420 2f31 366b 2e68 746d 6c20 ..GET /16k.html 0x0050 4854 5450 2f31 2e30 0d0a 486f 7374 3a20 HTTP/1.0..Host:
...
喷鼻息统计数据确认在上面:
> show snort statistics Packet Counters: Passed Packets 2 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 1 Blacklisted Flows 0 ...
在如镜像所显示,在FP4100/9300工具方案1和2的运行可以形象化的FTD :
方案3. ACP信任动作(L3/L4同停用的SI)
万一希望FTD运用安全智能(SI)检查于SI已经是启用的在ACP级别,并且的所有流您能指定SI来源(TALOS、结转,列表等)。另一方面,万一要禁用它,您禁用网络的URL的SI全局每个ACP, DNS的SI和SI。网络和URL的SI是失效的如镜像所显示:
在这种情况下信任规则在莉娜被部署作为充分的信任:
> show access-list
... access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6
验证工作情况
起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40)。因为这FP4100和支持流在硬件方面卸载这些事发生:
- 一些个信息包通过FTD莉娜引擎转发,并且流的其余被卸载对SmartNIC (HW加速器)
- 没有转发信息包打鼾引擎
FTD莉娜连接表显示标志位“o’哪意味着流被卸载了对HW。并且请注释缺乏“N’标志位。这根本不意味着‘喷鼻息重定向’ :
firepower# show conn 1 in use, 15 most used TCP OUTSIDE 192.168.2.40:80 INSIDE 192.168.1.40:32809, idle 0:00:00, bytes 949584, flags UIOo
喷鼻息统计数据显示仅操作日志事件起初和在会话结束时:
firepower# show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 Miscellaneous Counters: Start-of-Flow events 1 End-of-Flow events 1
FTD莉娜日志表示,每次会话的有2流(一每个每个方向)被卸载对HW :
Sep 27 2017 20:16:05: %ASA-7-609001: Built local-host INSIDE:192.168.1.40 Sep 27 2017 20:16:05: %ASA-6-302013: Built inbound TCP connection 25384 for INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809) Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809) Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-302014: Teardown TCP connection 25384 for INSIDE:192.168.1.40/32809 to OUTSIDE:192.168.2.40/80 duration 0:00:00 bytes 1055048 TCP FINs Sep 27 2017 20:16:05: %ASA-7-609002: Teardown local-host INSIDE:192.168.1.40 duration 0:00:00
在如镜像所显示,在FP4100/9300工具方案1和2的运行可以形象化的FTD :
请使用案件
- 您必须使用信任动作,当您希望仅一些个信息包由喷鼻息引擎(即应用程序检测, SI检查)时和将被卸载的流的其余检查对莉娜引擎
- 如果使用在FP4100/9300的FTD并且希望流完全地绕过喷鼻息检查然后认为与快速路径动作的Prefilter规则(请参阅相关请区分在本文)
- 请勿使用信任动作开放附属连接的协议(即FTP, SIP等),但是使用提供动作(请参阅在本文的相关部分)
Prefilter策略块动作
如镜像所显示,考虑拓扑:
如镜像所显示,也考虑策略:
这是在FTD喷鼻息引擎(ngfw.rules文件)的被实施的策略:
# Start of tunnel and priority rules. # These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id. 268437506 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any (tunnel -1
在莉娜:
access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1 access-list CSM_FW_ACL_ line 3 advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start (hitcnt=0) 0x76476240
当您跟踪一个虚拟信息包时,表示,信息包由莉娜丢弃和从未转发打鼾:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 … Phase: 4 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: Prefilter1 Additional Information: Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
喷鼻息统计数据显示:
firepower# show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 Miscellaneous Counters: Start-of-Flow events 0 End-of-Flow events 0 Denied flow events 1
莉娜ASP丢包显示:
firepower# show asp drop Frame drop: Flow is denied by configured rule (acl-drop) 1
请使用案件
当您要阻塞数据流根据L3/L4情况和,不用需要执行所有喷鼻息检查到数据流时,您能使用Prefilter分块规则。
Prefilter策略快速路径动作
如镜像所显示,认为Prefilter策略规则:
这是在FTD喷鼻息引擎的被实施的策略:
268437506 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6 (tunnel -1)
在FTD莉娜中:
access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1 access-list CSM_FW_ACL_ line 3 advanced trust tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268437506 event-log flow-end (hitcnt=0) 0xf3410b6f
验证工作情况
当host-A (192.168.1.40)时设法对host-B (192.168.2.40)开始HTTP会话一些个信息包通过莉娜,并且其余被卸载对SmartNIC。在这种情况下“系统支持跟踪’有防火墙引擎调试功能显示:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: y Monitoring packet tracer debug messages 192.168.1.40-32840 > 192.168.2.40-80 6 AS 1 I 8 Got end of flow event from hardware with flags 04000000
莉娜日志显示被卸载的流:
Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host INSIDE:192.168.1.40 Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host OUTSIDE:192.168.2.40 Oct 01 2017 14:36:51: %ASA-6-302013: Built inbound TCP connection 966 for INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32840 (192.168.1.40/32840)
莉娜捕获显示经历8个的信息包:
firepower# show capture capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 3908 bytes] match ip host 192.168.1.40 host 192.168.2.40 capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 3908 bytes] match ip host 192.168.1.40 host 192.168.2.40
firepower# show capture CAPI 8 packets captured 1: 14:45:32.700021 192.168.1.40.32842 > 192.168.2.40.80: S 3195173118:3195173118(0) win 2920 <mss 1460,sackOK,timestamp 332569060 0> 2: 14:45:32.700372 192.168.2.40.80 > 192.168.1.40.32842: S 184794124:184794124(0) ack 3195173119 win 2896 <mss 1380,sackOK,timestamp 332567732 332569060> 3: 14:45:32.700540 192.168.1.40.32842 > 192.168.2.40.80: P 3195173119:3195173317(198) ack 184794125 win 2920 <nop,nop,timestamp 332569060 332567732> 4: 14:45:32.700876 192.168.2.40.80 > 192.168.1.40.32842: . 184794125:184795493(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060> 5: 14:45:32.700922 192.168.2.40.80 > 192.168.1.40.32842: P 184795493:184796861(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060> 6: 14:45:32.701425 192.168.2.40.80 > 192.168.1.40.32842: FP 184810541:184810851(310) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569061> 7: 14:45:32.701532 192.168.1.40.32842 > 192.168.2.40.80: F 3195173317:3195173317(0) ack 184810852 win 2736 <nop,nop,timestamp 332569061 332567733> 8: 14:45:32.701639 192.168.2.40.80 > 192.168.1.40.32842: . ack 3195173318 win 2697 <nop,nop,timestamp 332567734 332569061>
FTD流卸载统计数据显示22个信息包被卸载对HW :
firepower# show flow-offload statistics
Packet stats of port : 0
Tx Packet count : 22
Rx Packet count : 22
Dropped Packet count : 0
VNIC transmitted packet : 22
VNIC transmitted bytes : 15308
VNIC Dropped packets : 0
VNIC erroneous received : 0
VNIC CRC errors : 0
VNIC transmit failed : 0
VNIC multicast received : 0
您能也使用‘显示流卸载流’命令发现另外相关的信息到被卸载的流。示例如下:
firepower# show flow-offload flow
Total offloaded flow stats: 2 in use, 4 most used, 20% offloaded, 0 collisions
TCP intfc 103 src 192.168.1.40:39301 dest 192.168.2.40:20, static, timestamp 616063741, packets 33240, bytes 2326800
TCP intfc 104 src 192.168.2.40:20 dest 192.168.1.40:39301, static, timestamp 616063760, packets 249140, bytes 358263320
firepower# show conn
5 in use, 5 most used
Inspect Snort:
preserve-connection: 1 enabled, 0 in effect, 4 most enabled, 0 most in effect
TCP OUTSIDE 192.168.2.40:21 INSIDE 192.168.1.40:40988, idle 0:00:00, bytes 723, flags UIO
TCP OUTSIDE 192.168.2.40:21 INSIDE 192.168.1.40:40980, idle 0:02:40, bytes 1086, flags UIO
TCP OUTSIDE 192.168.2.40:80 INSIDE 192.168.1.40:49442, idle 0:00:00, bytes 86348310, flags UIO N1
TCP OUTSIDE 192.168.2.40:20 INSIDE 192.168.1.40:39301, idle 0:00:00, bytes 485268628, flags Uo <- offloaded flow
TCP OUTSIDE 192.168.2.40:20 INSIDE 192.168.1.40:34713, idle 0:02:40, bytes 821799360, flags UFRIO
- 百分比根据‘show conn’输出。例如,如果5 conns在总通过FTD莉娜引擎,并且然后卸载1他们20%将报告如被卸载
- 被卸载的会话最大限制取决于软件版本(即ASA 9.8.3和FTD 6.2.3支持4百万双向(或8百万单向)被卸载的流)
- 万一被卸载的流的数量达到限制(即4百万双向流)不会卸载新连接,直到现有连接从被卸载的表被取消
为了看到在通过FTD的FP4100/9300的所有信息包(被卸载+莉娜)如镜像所显示,那里是需要enable (event)捕获在机箱平实:
机箱底板捕获显示两个方向。由于FXO捕获体系结构(每个方向2捕获点)如镜像所显示,每个信息包两次显示:
基于在上面:
- 信息包总数通过FTD :30
- 信息包通过FTD莉娜:8
- 信息包被卸载对SmartNIC HW加速器:22
请使用案件
- 当您要完全地绕过喷鼻息检查时,请使用Prefilter快速路径动作。您典型地要为您委托类似备份的大fat流,数据库转移等执行此
- 在FP4100/9300工具上快速路径动作触发器流卸载,并且仅一些个信息包通过FTD莉娜引擎。其余由减少潜伏期的SmartNIC处理
Prefilter策略分析动作
方案1. Prefilter分析与ACP分块规则
考虑如镜像所显示,包含一个分析规则的Prefilter策略:
ACP包含设置阻塞所有数据流如镜像所显示,仅的默认规则:
这是在FTD喷鼻息引擎(ngfw.rules文件)的被实施的策略:
# Start of tunnel and priority rules. # These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id. 268435460 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any (tunnel -1) 268435459 allow any any 1025-65535 any any 3544 any 17 (tunnel -1) 268435459 allow any any 3544 any any 1025-65535 any 17 (tunnel -1) 268435459 allow any any any any any any any 47 (tunnel -1) 268435459 allow any any any any any any any 41 (tunnel -1) 268435459 allow any any any any any any any 4 (tunnel -1) # End of tunnel and priority rules. # Start of AC rule. 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
这是在FTD莉娜引擎的被实施的策略:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=0) 0xb788b786
验证工作情况
为了测试与信息包跟踪程序,它表示,信息包由莉娜允许,转发打鼾引擎(由于允许动作),并且喷鼻息引擎返回块判决,因为从AC的默认动作被匹配。
当您跟踪信息包时显示同样:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: DROP Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: block rule, id 268435458, drop Snort: processed decoder alerts or actions queue, drop NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall Snort Verdict: (black-list) black list this flow Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
方案2. Prefilter分析与ACP允许规则
如果目标是允许信息包通过FTD横断,有需要增加在ACP的一个规则。动作可以是承认或委托哪些取决于目标(即,如果要适用L7检查您必须使用允许动作)如镜像所显示, :
在FTD喷鼻息引擎的被实施的策略:
# Start of AC rule. 268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
在莉娜引擎中:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=1) 0xb788b786
验证工作情况
信息包跟踪程序表示,信息包在莉娜匹配规则268435460和268435461在喷鼻息引擎:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: allow rule, id 268435461, allow NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
方案3. Prefilter分析与ACP信任规则
万一ACP包含信任规则然后如镜像所显示,您有此:
喷鼻息:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
莉娜:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=2) 0xb788b786
切记,因为默认情况下SI被启用,信任规则配置作为对莉娜的许可证动作那么至少一些个信息包重定向打鼾检查的引擎。
验证工作情况
信息包跟踪程序表示,喷鼻息引擎Whitelists根本卸载对莉娜的信息包其余流:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
方案4. Prefilter分析与ACP信任规则
在此方案中SI手工被禁用。
规则在喷鼻息配置如下:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
在莉娜规则配置作为充分的信任。信息包必须虽则匹配许可证规则(请参阅ACE HIT计数)是配置的由于分析Prefilter规则,并且信息包由喷鼻息引擎检查:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=3) 0xb788b786 ... access-list CSM_FW_ACL_ line 13 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6 ... access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268435458 event-log flow-start (hitcnt=0) 0x97aa021a
验证工作情况
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached ... Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
要点
- 分析动作在莉娜引擎配置,许可证规则。这有作为效果将转发的信息包打鼾检查的引擎
- 分析动作不配置在喷鼻息引擎,因此您的任何规则需要保证您配置在喷鼻息配比的ACP的一个规则
- 它取决于在喷鼻息引擎配置的ACP规则(块与允许与快速路径)无或所有或者一些个信息包由喷鼻息允许
请使用案件
- analyze动作用例是,当您安排一个清楚的快速路径规则在Prefilter策略和您要放置特定流的时一些例外,以便他们由喷鼻息检查
- 另外,喷鼻息检查暗示流没有被卸载到硬件(SmartNIC),但是由喷鼻息和莉娜处理
与打开附属连接的协议的FTD工作情况
有协议类似动态地协商和开放附属连接的FTP, SIP等。FTD独立地打开附属连接的针孔在2个级别:
- 莉娜引擎
- 喷鼻息引擎
另外,当喷鼻息打开针孔时它发信号莉娜打开同一个针孔,万一已经不是开放的。
使用协商的协议和您必须使用的开放附属连接请勿允许在ACP的动作和请使用信任。原因是那,因为需要检查一些个信息包的喷鼻息也打开针孔(编号取决于应用程序),在您打开针孔在喷鼻息级别前。如果使用信任动作,大多时代仅一些个信息包发送打鼾检查的引擎,并且流被卸载给在喷鼻息前的莉娜有时间检查协议协商阶段和打开需要的针孔在喷鼻息级别。结果是打开针孔的莉娜,但是打鼾切附属连接(即FTD数据信道)。
FTD规则指南
- 请使用Prefilter策略快速路径规则大fat流和为了通过机箱减少潜伏期
- 请使用Prefilter分块规则必须根据L3/L4情况阻塞的数据流
- 请使用ACP信任规则,如果要绕过许多喷鼻息检查,但是仍然利用功能类似身份策略, QoS, SI,应用程序检测, URL过滤
- 放置更加特定的规则在与使用的访问控制策略顶部这些指南
a. L3/L4在顶层的规则
b. L7规则下面(应用程序检测, URL过滤等)
c. 要求先进的喷鼻息检查的规则(闯入策略/文件策略)在策略的底部
- 避免额外的记录(日志起初或在末端和同时避免两个)
- 注意规则扩展,检查规则的数量在莉娜
firepower# show access-list | include elements access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
摘要
规则如何配置:
允许与信任
Related Information
反馈