已有帐户?

  •   个性化内容
  •   您的产品和支持

需要帐户?

创建帐户

澄清Firepower威胁防御访问控制策略规则操作

下载选项

  • PDF     (4.2 MB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (4.0 MB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (3.3 MB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2019 年 11 月 25 日
文档 ID:212321
关于翻译

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

      

    本文描述多种操作可用在Firepower威胁防御(FTD)访问控制策略(ACP)和Prefilter策略。此外,每操作的背景操作与其交互作用一起被检查与其它特性,如流卸载和打开附属连接的协议。

    先决条件

    要求

    Cisco 建议您了解以下主题:

    • 流卸载
    • 可适应安全工具(ASA)设备的数据包捕获
    • 在ASA设备的数据包跟踪程序

    使用的组件

    本文档中的信息基于以下软件和硬件版本:

    • Cisco Firepower 4110威胁防御版本6.2.2 (构建81)
    • Firepower管理中心(FMC)版本6.2.2 (构建81)

    本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。

    相关产品

    本文可以也与这些硬件和软件版本一起使用:

    • ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
    • ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
    • FPR2100, FPR4100, FPR9300
    • VMware (ESXi),亚马逊网站服务(AW),基于内核的虚拟机(KVM)
    • 集成服务路由器(ISR)路由模块
    • FTD软件版本6.1.x和以后

    Note:FPR4100和FPR9300平台只支持流Offload。

    背景信息

    FTD是包括2个主要引擎的一个统一的软件镜像:

    • 莉娜引擎
    • 喷鼻息引擎

    此图显示2个引擎如何呼应:

    • 数据包进入入口接口,并且乘莉娜引擎处理
    • 如果它由FTD策略要求数据包乘喷鼻息引擎检查
    • 喷鼻息引擎返回一个判决(whitelist或黑名单)数据包的
    • 莉娜引擎丢弃或转发根据喷鼻息的判决的数据包

    ACP如何部署

    FTD策略在FMC配置,当箱外(远程)时管理使用或Firepower设备管理器(FDM),当使用时本地管理。在两种情况下, ACP部署如下:

    • 作为CSM_FW_ACL_被命名的全局访问控制表(ACL)对FTD莉娜引擎
    • 在/var/sf/detection_engines/UUID/ngfw.rules文件的访问控制(AC)规则对FTD喷鼻息引擎

    配置

    ACP联机操作

    FTD ACP包含一个或更多规则,并且每个规则能有一这些操作和如镜像所显示:

    • 准许
    • 信任
    • 监视器
    • 有重置的块
    • 交互块
    • 有重置的交互块

    同样地, Prefilter策略能包含一个或更多规则,并且可能行动在镜像显示:

    ACP和Prefilter策略如何呼应

    Prefilter策略在6.1版本和服务获得了介绍2个主要目的:

    1. 它允许FTD莉娜引擎检查外面IP报头通道流量的检查,当喷鼻息引擎检查内在IP报头时。特别地,在通道流量(即GRE)的情况下在Prefilter策略的规则在outerheaders总是操作,在ACP的规则总是可适用的对内部的会话时(内部头标)。通道流量是指这些协议:
    • GRE
    • IP在IP
    • IPv6-in-IP
    • Teredo端口3544
    1. 它提供如镜像所显示,允许流绕过完全喷鼻息引擎的早期的访问控制(EAC)。

    Prefilter规则在FTD部署作为L3/L4访问控制元素(ACE)如镜像所显示,和在ACP配置的L3/L4 ACE上被放置:

    Note:Prefilter v/s ACP规则=首先配比应用。

    ACP块操作

    考虑在镜像显示的拓扑:

    方案1.早莉娜丢弃

    ACP包含使用一个L4情况的分块规则(目的地端口TCP 80)如镜像所显示, :

    在喷鼻息的被实施的策略:

    268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    被实施的策略在莉娜。注意规则推送和拒绝操作:

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start (hitcnt=0) 0x6149c43c

    验证行为:

    当host-a (192.168.1.40)时设法打开HTTP会话到host-b (192.168.2.40) TCP请同步(SYN)数据包乘FTD莉娜引擎丢弃,无需到达喷鼻息引擎或目的地:

    firepower# show capture
capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 430 bytes]
  match ip host 192.168.1.40 any
capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 0 bytes]
  match ip host 192.168.1.40 any

    firepower# show capture CAPI
   1: 11:08:09.672801  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0>
   2: 11:08:12.672435  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4063517 0>
   3: 11:08:18.672847  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4069517 0>
   4: 11:08:30.673610  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4081517 0>

    firepower# show capture CAPI packet-number 1 trace
   1: 11:08:09.672801  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0>
...

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L4 RULE: Rule1
Additional Information:   
                             <- No Additional Information = No Snort Inspection

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    由于方案2.的丢弃打鼾判决

    ACP包含使用一个L7情况的分块规则(应用程序HTTP)如镜像所显示, :

    在喷鼻息的被实施的策略:

    268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (appid 676:1)

    Appid 676:1 = HTTP

    被实施的策略在莉娜。

    Note:规则推送作为permit操作,因为莉娜不能确定会话使用HTTP。在FTD应用程序检测机制在喷鼻息引擎方面。

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786

    对于使用应用程序作为情况的分块规则,实际数据包的trace显示会话由由于的莉娜丢弃打鼾引擎判决。

    Note:为了喷鼻息引擎能确定应用程序它必须检查一些数据包(依靠应用程序编码器)的通常3-10。因而一些数据包通过FTD允许,并且他们使它到目的地。允许数据包仍然是受根据访问策略>Advanced的入侵策略检查支配> ‘使用的入侵策略,在访问控制规则是确定的’选项前。

    验证行为:

    当host-a (192.168.1.40)时设法设立与host-b的HTTP会话(192.168.2.40)莉娜入口捕获显示:

    firepower# show capture CAPI

8 packets captured

   1: 11:31:19.825564  192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0>
   2: 11:31:19.826403  192.168.2.40.80 > 192.168.1.40.32790: S 1283931030:1283931030(0) ack 357753152 win 2896 <mss 1380,sackOK,timestamp 5449236 5450579>
   3: 11:31:19.826556  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236>
   4: 11:31:20.026899  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450781 5449236>
   5: 11:31:20.428887  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5451183 5449236>
 ...

    出口捕获:

    firepower# show capture CAPO

5 packets captured

   1: 11:31:19.825869  192.168.1.40.32790 > 192.168.2.40.80: S 1163713179:1163713179(0) win 2920 <mss 1380,sackOK,timestamp 5450579 0>
   2: 11:31:19.826312  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579>
   3: 11:31:23.426049  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5452836 5450579>
   4: 11:31:29.426430  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5458836 5450579>
   5: 11:31:41.427208  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5470836 5450579>

    Trace显示第一数据包(TCP SYN)由喷鼻息允许,因为应用程序检测判决是待定的:

    firepower# show capture CAPI packet-number 1 trace
   1: 11:31:19.825564  192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0>
...

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
...
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23194, packet dispatched to next module
…
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 357753151
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268435461, pending AppID
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    同样TCP SYN/ACK数据包:

    firepower# show capture CAPO packet-number 2 trace
   2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579>
…

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 23194, using existing flow
…

Phase: 5
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, ACK, seq 1283931030, ack 357753152
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268435461, pending AppID
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

    喷鼻息在检查第三数据包以后返回丢弃判决:

    firepower# show capture CAPI packet-number 3 trace
   3: 11:31:19.826556  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236>

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 23194, using existing flow

Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, ACK, seq 357753152, ack 1283931031
AppID: service HTTP (676), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html
Firewall: block rule, id 268435461, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor

    您能从FTD CLISH模式也运行system命令支持trace。此工具提供2个功能:

    • 显示每数据包的喷鼻息判决,当在莉娜发送到数据收集库(DAQ)并且被看到。DAQ是组件查找在FTD莉娜引擎和喷鼻息引擎之间
    • 准许同时运行系统支持防火墙引擎调试发现什么在喷鼻息引擎内发生

    这是输出:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]: y
Monitoring packet tracer debug messages

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 2620409313
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 New session
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, ACK, seq 3700371680, ack 2620409314
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, ACK, seq 2620409314, ack 3700371681
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0(0) -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 676, payload 0, client 686, misc 0, user 9999997, url http://192.168.2.40/128k.html, xff
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 match rule order 2, 'Rule1', action Block
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 deny action
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: block rule, 'Rule1', drop
192.168.1.40-32791 > 192.168.2.40-80 6 Snort: processed decoder alerts or actions queue, drop
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Deleting session
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict BLACKLIST
192.168.1.40-32791 > 192.168.2.40-80 6 ===> Blocked by Firewall

    摘要

    • 部署的ACP块操作获得,因为或者permit或在取决于规则调节的莉娜拒绝规则
    • 如果条件是L3/L4那么莉娜阻塞数据包。在TCP的情况下第一数据包(TCP SYN)阻塞
    • 如果条件是L7那么数据包转发到进一步检查的喷鼻息引擎。在TCP的情况下,一些数据包通过FTD允许,直到喷鼻息作出判决。允许数据包仍然是受根据访问策略>Advanced的入侵策略检查支配> ‘使用的入侵策略,在访问控制规则是确定的’选项前。

      

    ACP允许操作

    方案1. ACP允许操作(L3/L4情况)

    通常,您会配置允许规则指定另外的检验类似入侵策略和文件策略。在此处此第一个方案中,当L3/L4情况应用时,被展示允许规则的操作。

    如镜像所显示,考虑此拓扑:

    如镜像所显示,此策略应用:

    在喷鼻息的被实施的策略。注意规则部署作为允许操作:

    # Start of AC rule.
268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    策略在莉娜。 

    Note:规则部署,当根本含义重定向为进一步检查打鼾的permit操作。

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=1) 0x641a20c3

    为了看到匹配允许规则的流如何由那里FTD处理请是一些个方式:

    • 验证喷鼻息统计信息
    • 使用使用系统支持请跟踪CLISH工具
    • 使用使用捕获与trace在莉娜和或者与捕获流量在喷鼻息引擎方面

    莉娜捕获与喷鼻息捕获流量:

    验证行为:

    清除喷鼻息统计信息,启用从CLISH的系统支持trace并且启动从host-a的一个HTTP流(192.168.1.40)对host-b (192.168.2.40)。所有数据包转发到喷鼻息引擎并且由喷鼻息获得PASS判决:

    firepower# clear snort statistics
    > system support trace

Please specify an IP protocol:
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, seq 361134402
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, ACK, seq 1591434735, ack 361134403
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, ACK, seq 361134403, ack 1591434736
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS

    喷鼻息统计信息反射上述喷鼻息PASS判决:

    > show snort statistics

Packet Counters:
  Passed Packets                                           54
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0
...

    合格数据包=乘喷鼻息引擎检查

    方案2. ACP允许操作(L3-7情况)

    当允许规则部署如下时,相似的行为被看到。

    如镜像所显示的仅一个L3/L4条件:

    一个L7条件(即入侵策略、文件策略,应用程序等)如镜像所显示:

    摘要

    为了汇总,这是流如何由在FP4100/9300部署的FTD处理如镜像所显示时,当允许规则匹配:

    Note:管理输入-输出(减少)是火力机箱的Supervisor引擎。

    方案3.喷鼻息快速转发判决与准许

    有FTD喷鼻息引擎给WHITELIST判决(快速转发)的特定方案,并且流的其余被卸载到莉娜引擎(在某些情况下然后被卸载对HW Accelarator - SmartNIC)。即:

    1. 与信任操作的访问控制策略
    2. 没有配置的SSL策略的SSL流量
    3. FILE检测策略
    4. 智能应用程序bypass(IAB)

    以上可以形象化对:

    或者在某些情况下对:

    要点

    • 允许规则在喷鼻息在莉娜部署和准许并且允许
    • 在大多数情况下,会话的所有数据包转发打鼾另外的检查的引擎

    请使用案件 

    当您乘喷鼻息引擎需要L7检查例如时,您会配置允许规则:

    • 入侵策略
    • 文件策略

    ACP信任操作

    方案1. ACP信任操作(L3/L4情况)

    如果不要运用任何L7操作在喷鼻息级别(即入侵策略、文件策略、应用程序检测、URL过滤,安全智能等)那么在您的规则推荐使用信任操作。

    如镜像所显示,考虑拓扑:

    如镜像所显示,此策略应用:

    信任规则,在FTD喷鼻息引擎方面部署:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    Note:第6是协议(TCP)。

    在FTD莉娜的规则:

    access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=0) 0x641a20c3

      

    验证行为:

    启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40),当您运行系统支持trace CLI工具时。只有转发打鼾引擎的一数据包(TCP SYN)。喷鼻息引擎发送给莉娜根本卸载流其余对莉娜的WHITELIST判决:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages


Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 69186463
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST

    莉娜捕获显示流哪些通过它:

    > show capture CAPI

29 packets captured

   1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0>
   2: 19:14:29.215549 192.168.2.40.80 > 192.168.1.40.32791: S 413254738:413254738(0) ack 69186464 win 2896 <mss 1380,sackOK,timestamp 3137895 3139222>
   3: 19:14:29.215687 192.168.1.40.32791 > 192.168.2.40.80: P 69186464:69186662(198) ack 413254739 win 2920 <nop,nop,timestamp 3139223 3137895>
   4: 19:14:29.216038 192.168.2.40.80 > 192.168.1.40.32791: . 413254739:413256107(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223>
   5: 19:14:29.216053 192.168.2.40.80 > 192.168.1.40.32791: P 413256107:413257475(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223>
   6: 19:14:29.216144 192.168.1.40.32791 > 192.168.2.40.80: . ack 413257475 win 2736 <nop,nop,timestamp 3139224 3137896>
   7: 19:14:29.216251 192.168.2.40.80 > 192.168.1.40.32791: P 413257475:413258843(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139224>
…

    当您跟踪第一数据包时,您能看到WHITELIST判决:

    firepower# show capture CAPI packet-number 1 trace
   1: 19:14:29.214817  192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0>
…
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 69186463
AppID: service unknown (0), application unknown (0)
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow

    对于流(即TCP SYN/ACK)的其余您看到:

    firepower# show capture CAPO packet-number 2 trace
   2: 19:14:29.215503  192.168.2.40.80 > 192.168.1.40.32791: S 60351089:60351089(0) ack 1577779944 win 2896 <mss 1460,sackOK,timestamp 3137895 3139222>
…
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 25353, using existing flow

Phase: 4
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

    喷鼻息统计信息确认此:

    > show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      1
  Blacklisted Flows                                         0
...                               0

    喷鼻息级别捕获也确认此:

    > capture-traffic

Please choose domain to capture traffic from:
  0 - management0
  1 - Router

Selection? 1

Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: -n
19:04:17.429711 IP 192.168.1.40.32791 > 192.168.2.40.80: Flags [S], seq 69186463, win 2920, options [mss 1380,sackOK,TS val 2527484 ecr 0], length 0

    提示:‘n’参数不转换IP地址对名称。

    方案2. ACP信任操作(L7情况)

    如镜像所显示,认为此ACP规则:

    规则,在FTD喷鼻息引擎方面部署:

    268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (appid 676:1)

    在FTD莉娜的规则:

    access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786

    验证行为

    启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40),当您运行系统支持trace CLI工具时。有被发送打鼾引擎和获得PASS判决的一些数据包(2在这种情况下),当AppID是待定的时。在喷鼻息以后确定寄WHITELIST判决给莉娜的应用程序,并且流的其余由莉娜处理:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages


Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, seq 3970971741
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, ACK, seq 18638120, ack 3970971742
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, ACK, seq 3970971742, ack 18638121
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/16k.html
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST

    莉娜捕获显示数据包# 3有HTTP GET方法:

    firepower# show capture CAPI dump
   1: 11:24:38.895888       192.168.1.40.32836 > 192.168.2.40.80: S 3970971741:3970971741(0) win 2920 <mss 1460,sackOK,timestamp 320516154 0>
0x0000   2c33 118d 570e 00c0 a801 2800 0800 4500        ,3..W.....(...E.
0x0010   0038 c03d 0000 4006 35e2 c0a8 0128 c0a8        .8.=..@.5....(..
0x0020   0228 8044 0050 ecb0 385d 0000 0000 9002        .(.D.P..8]......
0x0030   0b68 630e 0000 0204 05b4 0402 080a 131a        .hc.............
0x0040   b03a 0000 0000                                 .:....
   2: 11:24:38.896682       192.168.2.40.80 > 192.168.1.40.32836: S 18638120:18638120(0) ack 3970971742 win 2896 <mss 1380,sackOK,timestamp 320514827 320516154>
0x0000   00c0 a801 2800 2c33 118d 570e 0800 4500        ....(.,3..W...E.
0x0010   0038 1d1e 0000 4006 d901 c0a8 0228 c0a8        .8....@......(..
0x0020   0128 0050 8044 011c 6528 ecb0 385e 9012        .(.P.D..e(..8^..
0x0030   0b50 3efb 0000 0204 0564 0402 080a 131a        .P>......d......
0x0040   ab0b 131a b03a                                 .....:
   3: 11:24:38.896849       192.168.1.40.32836 > 192.168.2.40.80: P 3970971742:3970971940(198) ack 18638121 win 2920 <nop,nop,timestamp 320516155 320514827>
0x0000   2c33 118d 570e 00c0 a801 2800 0800 4500        ,3..W.....(...E.
0x0010   00fa c03e 0000 4006 351f c0a8 0128 c0a8        ...>..@.5....(..
0x0020   0228 8044 0050 ecb0 385e 011c 6529 8018        .(.D.P..8^..e)..
0x0030   0b68 0f62 0000 0101 080a 131a b03b 131a        .h.b.........;..
0x0040   ab0b 4745 5420 2f31 366b 2e68 746d 6c20        ..GET /16k.html
0x0050   4854 5450 2f31 2e30 0d0a 486f 7374 3a20        HTTP/1.0..Host:
    ...

    喷鼻息统计信息确认在上面:

    > show snort statistics

Packet Counters:
  Passed Packets                                            2
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      1
  Blacklisted Flows                                         0
...

    在如镜像所显示,在FP4100/9300设备方案1和2的运行可以形象化的FTD :

    方案3. ACP信任操作(与禁用的SI的L3/L4)

    万一希望FTD运用安全智能(SI)检查到SI已经启用在ACP级别,并且的所有流您能指定SI来源(TALOS、源,列表等)。另一方面,万一要禁用它,您禁用网络的URL的SI全局每ACP, DNS的SI和SI。如镜像所显示,网络和URL的SI禁用:

    在这种情况下信任规则在莉娜被部署作为全双工信任:

    > show access-list
    ...    
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6

    Note:和从6.2.2 FTD支持TID。TID工作用方式类似于SI,然而,万一SI禁用,它“不强制’数据包重定向打鼾TID检查的引擎。

    验证行为

    启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40)。因为这FP4100和支持流请卸载在这些事发生的硬件方面:

    • 一些数据包通过FTD莉娜引擎转发,并且流的其余被卸载对SmartNIC (HW加速器)
    • 数据包没有转发打鼾引擎

    FTD莉娜连接表显示标志“o’哪含义流被卸载了对HW。并且请注释缺乏“N’标志。这根本不含义‘喷鼻息重定向’ :

    firepower# show conn
1 in use, 15 most used

TCP OUTSIDE  192.168.2.40:80 INSIDE  192.168.1.40:32809, idle 0:00:00, bytes 949584, flags UIOo

    喷鼻息统计信息显示仅操作日志事件起初和在会话结束时:

    firepower# show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0

Miscellaneous Counters:
  Start-of-Flow events                                      1
  End-of-Flow events                                        1

    FTD莉娜日志为那里每会话显示那是2个流(一每个每个方向)被卸载对HW :

    Sep 27 2017 20:16:05: %ASA-7-609001: Built local-host INSIDE:192.168.1.40
Sep 27 2017 20:16:05: %ASA-6-302013: Built inbound TCP connection 25384 for INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809)
Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809)
Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-302014: Teardown TCP connection 25384 for INSIDE:192.168.1.40/32809 to OUTSIDE:192.168.2.40/80 duration 0:00:00 bytes 1055048 TCP FINs
Sep 27 2017 20:16:05: %ASA-7-609002: Teardown local-host INSIDE:192.168.1.40 duration 0:00:00

    在如镜像所显示,在FP4100/9300设备方案1和2的运行可以形象化的FTD :

    请使用案件

    • 您必须使用信任操作,当您希望仅一些数据包由喷鼻息引擎(即应用程序检测, SI检查)时和将被卸载的流的其余检查对莉娜引擎
    • 如果使用在FP4100/9300的FTD并且希望流完全绕过喷鼻息检查然后认为与快速路径操作的Prefilter规则(请参阅在本文的相关部分)
    • 请勿使用信任操作开放附属连接的协议(即FTP, SIP等),但是使用提供操作(请参阅在本文的相关部分)

    Prefilter策略块操作

    如镜像所显示,考虑拓扑:

    如镜像所显示,也考虑策略:

    这是被实施的策略在FTD喷鼻息引擎(ngfw.rules文件)方面:

    # Start of tunnel and priority rules.
# These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id.
268437506 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (tunnel -1

    在莉娜:

    access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1
access-list CSM_FW_ACL_ line 3 advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start (hitcnt=0) 0x76476240

    当您跟踪一虚拟数据包时,显示数据包由莉娜丢弃和从未转发打鼾:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
…
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: Prefilter1
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    喷鼻息统计信息显示:

    firepower# show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0

Miscellaneous Counters:
  Start-of-Flow events                                      0
  End-of-Flow events                                        0
  Denied flow events                                        1

    莉娜ASP丢包显示:

    firepower# show asp drop

Frame drop:
  Flow is denied by configured rule (acl-drop)                1

    请使用案件

    当您要阻塞流量根据L3/L4情况和,不用需要执行所有喷鼻息检查到流量时,您能使用Prefilter分块规则。

    Prefilter策略快速路径操作

    如镜像所显示,认为Prefilter策略规则:

    这是被实施的策略在FTD喷鼻息引擎方面:

    268437506 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6  (tunnel -1)

    在FTD莉娜中:

    access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1
access-list CSM_FW_ACL_ line 3 advanced trust tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268437506 event-log flow-end (hitcnt=0) 0xf3410b6f

    验证行为

    当host-a (192.168.1.40)时设法打开HTTP会话到host-b (192.168.2.40)一些数据包通过莉娜,并且其余被卸载对SmartNIC。在这种情况下“系统支持trace’与启用的防火墙引擎调试显示:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]: y
Monitoring packet tracer debug messages

192.168.1.40-32840 > 192.168.2.40-80 6 AS 1 I 8 Got end of flow event from hardware with flags 04000000


    莉娜日志显示被卸载的流:

    Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host INSIDE:192.168.1.40
Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host OUTSIDE:192.168.2.40
Oct 01 2017 14:36:51: %ASA-6-302013: Built inbound TCP connection 966 for INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32840 (192.168.1.40/32840)


    莉娜捕获显示经历8的数据包:

    firepower# show capture
capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 3908 bytes]
  match ip host 192.168.1.40 host 192.168.2.40
capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 3908 bytes]
  match ip host 192.168.1.40 host 192.168.2.40

    firepower# show capture CAPI

8 packets captured

   1: 14:45:32.700021  192.168.1.40.32842 > 192.168.2.40.80: S 3195173118:3195173118(0) win 2920 <mss 1460,sackOK,timestamp 332569060 0>
   2: 14:45:32.700372  192.168.2.40.80 > 192.168.1.40.32842: S 184794124:184794124(0) ack 3195173119 win 2896 <mss 1380,sackOK,timestamp 332567732 332569060>
   3: 14:45:32.700540  192.168.1.40.32842 > 192.168.2.40.80: P 3195173119:3195173317(198) ack 184794125 win 2920 <nop,nop,timestamp 332569060 332567732>
   4: 14:45:32.700876  192.168.2.40.80 > 192.168.1.40.32842: . 184794125:184795493(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060>
   5: 14:45:32.700922  192.168.2.40.80 > 192.168.1.40.32842: P 184795493:184796861(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060>
   6: 14:45:32.701425  192.168.2.40.80 > 192.168.1.40.32842: FP 184810541:184810851(310) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569061>
   7: 14:45:32.701532  192.168.1.40.32842 > 192.168.2.40.80: F 3195173317:3195173317(0) ack 184810852 win 2736 <nop,nop,timestamp 332569061 332567733>
   8: 14:45:32.701639  192.168.2.40.80 > 192.168.1.40.32842: . ack 3195173318 win 2697 <nop,nop,timestamp 332567734 332569061>


    FTD流卸载统计信息显示22数据包被卸载对HW :

    firepower# show flow-offload statistics
 Packet stats of port : 0
        Tx Packet count                  :               22
        Rx Packet count                  :               22
        Dropped Packet count             :                0
        VNIC transmitted packet          :               22
        VNIC transmitted bytes           :            15308
        VNIC Dropped packets             :                0
        VNIC erroneous received          :                0
        VNIC CRC errors                  :                0
        VNIC transmit failed             :                0
        VNIC multicast received          :                0

    您能也使用‘显示流卸载流’命令发现另外相关的信息到被卸载的流。示例如下:

    firepower# show flow-offload flow
    Total offloaded flow stats: 2 in use, 4 most used, 20% offloaded, 0 collisions
    TCP intfc 103 src 192.168.1.40:39301 dest 192.168.2.40:20, static, timestamp 616063741, packets 33240, bytes 2326800
    TCP intfc 104 src 192.168.2.40:20 dest 192.168.1.40:39301, static, timestamp 616063760, packets 249140, bytes 358263320
    firepower# show conn
    5 in use, 5 most used
    Inspect Snort:
            preserve-connection: 1 enabled, 0 in effect, 4 most enabled, 0 most in effect

    TCP OUTSIDE  192.168.2.40:21 INSIDE  192.168.1.40:40988, idle 0:00:00, bytes 723, flags UIO
    TCP OUTSIDE  192.168.2.40:21 INSIDE  192.168.1.40:40980, idle 0:02:40, bytes 1086, flags UIO
    TCP OUTSIDE  192.168.2.40:80 INSIDE  192.168.1.40:49442, idle 0:00:00, bytes 86348310, flags UIO N1
    TCP OUTSIDE  192.168.2.40:20 INSIDE  192.168.1.40:39301, idle 0:00:00, bytes 485268628, flags Uo <- offloaded flow
    TCP OUTSIDE  192.168.2.40:20 INSIDE  192.168.1.40:34713, idle 0:02:40, bytes 821799360, flags UFRIO
    • 百分比根据‘show conn’输出。例如,如果5 conns总共通过FTD莉娜引擎的,并且然后卸载1他们20%将报告如被卸载
    • 被卸载的会话最大限制取决于软件版本(即ASA 9.8.3和FTD 6.2.3支持4百万个双向(或8百万单向)被卸载的流)
    • 万一被卸载的流数量达到限制(即4百万双向流)不会卸载新连接,直到现有连接从被卸载的表删除


    为了看到在通过FTD的FP4100/9300的所有数据包(被卸载+莉娜)那里是需要启用捕获在机箱级如镜像所显示:

    机箱底板捕获显示两个方向。由于FXO捕获体系结构(每个方向2捕获点)如镜像所显示,每数据包两次显示:

    基于在上面:

    • 信息包总数通过FTD :30
    • 数据包通过FTD莉娜:8
    • 数据包被卸载对SmartNIC HW加速器:22

    请使用案件 

    • 当您要绕过完全喷鼻息检查时,请使用Prefilter快速路径操作。您典型地要为您委托类似备份的大fat流,数据库转移等执行此
    • 在FP4100/9300设备上快速路径操作触发流卸载,并且仅一些数据包通过FTD莉娜引擎。其余由减小延迟的SmartNIC处理

    Prefilter策略快速路径操作(线型设置)

    万一Prefilter策略快速路径操作在通过的流量应用线型设置(NGIPS接口)应该考虑到下列问题:

    • 规则将应用到莉娜引擎作为信任操作
    • 流不会乘喷鼻息引擎检查
    • 流卸载(HW加速度)不会发生,因为流卸载不是可适用的在NGIPS接口

    这是数据包踪迹的示例在Prefilter在应用的快速路径操作的情况下线型设置:

    firepower# packet-tracer input inside tcp 192.168.1.40 12345 192.168.1.50 80 detailed

Phase: 1
Type: NGIPS-MODE
Subtype: ngips-mode
Result: ALLOW
Config:
Additional Information:
The flow ingressed an interface configured for NGIPS mode and NGIPS services will be applied
Forward Flow based lookup yields rule:
in id=0x2ad7ac48b330, priority=501, domain=ips-mode, deny=false
hits=2, user_data=0x2ad80d54abd0, cs_id=0x0, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=inside, output_ifc=any

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip object 192.168.1.0 object 192.168.1.0 rule-id 268438531 event-log flow-end
access-list CSM_FW_ACL_ remark rule-id 268438531: PREFILTER POLICY: PF1
access-list CSM_FW_ACL_ remark rule-id 268438531: RULE: 1
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2ad9f9f8a7f0, priority=12, domain=permit, trust
hits=1, user_data=0x2ad9b23c5d40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, ifc=any
dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 3
Type: NGIPS-EGRESS-INTERFACE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
Ingress interface inside is in NGIPS inline mode.
Egress interface outside is determined by inline-set configuration

Phase: 4
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 7, packet dispatched to next module
Module information for forward flow ...
snp_fp_ips_tcp_state_track_lite
snp_fp_ips_mode_adj
snp_fp_tracer_drop
snp_ifc_stat

Module information for reverse flow ...
snp_fp_ips_tcp_state_track_lite
snp_fp_ips_mode_adj
snp_fp_tracer_drop
snp_ifc_stat

Result:
input-interface: inside
input-status: up
input-line-status: up
Action: allow

    以上可以形象化如下:

    Prefilter策略分析操作

    方案1. Prefilter分析与ACP分块规则

    考虑如镜像所显示,包含分析规则的Prefilter策略:

    ACP包含如镜像所显示,设置阻塞所有流量仅的默认规则:

    这是被实施的策略在FTD喷鼻息引擎(ngfw.rules文件)方面:

    # Start of tunnel and priority rules.
# These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id.
268435460 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (tunnel -1)
268435459 allow any any  1025-65535 any any  3544 any 17  (tunnel -1)
268435459 allow any any  3544 any any  1025-65535 any 17  (tunnel -1)
268435459 allow any any  any any any  any any 47  (tunnel -1)
268435459 allow any any  any any any  any any 41  (tunnel -1)
268435459 allow any any  any any any  any any 4  (tunnel -1)
# End of tunnel and priority rules.
# Start of AC rule.
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    这是被实施的策略在FTD莉娜引擎方面:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=0) 0xb788b786

    验证行为

    为了用数据包追踪器测试,它显示数据包由莉娜允许,转发打鼾引擎(由于允许操作),并且喷鼻息引擎返回判决,因为从AC的默认操作匹配。

    Note:喷鼻息不评估根据通道规则的流量

    当您跟踪数据包时显示同样:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

…
Phase: 14
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: block rule, id 268435458, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor

    方案2. Prefilter分析与ACP允许规则

    如果目标是允许数据包通过FTD横断,有需要添加每在ACP的规则。操作可以是承认或委托哪些取决于目标(即,如果要应用L7检查您必须使用允许操作)如镜像所显示, :

    被实施的策略在FTD喷鼻息引擎方面:

    # Start of AC rule.
268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    在莉娜引擎中:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=1) 0xb788b786

    验证行为

    数据包追踪器显示数据包匹配规定268435460在莉娜和268435461在喷鼻息引擎方面:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: allow rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    方案3. Prefilter分析与ACP信任规则

    万一ACP包含信任规则然后如镜像所显示,您有此:

    喷鼻息:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    莉娜:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=2) 0xb788b786

    切记那,因为SI启用默认情况下,信任规则部署作为在莉娜的permit操作那么至少一些数据包重定向打鼾检查的引擎。

    验证行为

    数据包追踪器显示喷鼻息引擎Whitelists根本卸载对莉娜的数据包其余流:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    方案4. Prefilter分析与ACP信任规则

    在此方案中SI手工禁用。

    规则在喷鼻息部署如下:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    在莉娜规则部署作为全双工信任。数据包必须虽则匹配permit规则(请参阅ACE点击统计)是部署的由于分析Prefilter规则,并且数据包乘喷鼻息引擎检查:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=3) 0xb788b786
...
access-list CSM_FW_ACL_ line 13 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6
...
access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268435458 event-log flow-start (hitcnt=0) 0x97aa021a

    验证行为

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
...
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow


    要点

    • 分析操作在莉娜引擎方面部署, permit规则。这有作为效果将转发的数据包打鼾检查的引擎
    • 分析操作不部署在喷鼻息引擎,因此您的任何规则需要保证您配置在喷鼻息配比在ACP的一个规则
    • 它取决于在喷鼻息引擎方面部署的ACP规则(允许快速路径)无或所有或者一些数据包由喷鼻息允许

    请使用案件

    • analyze操作用例是,当您安排一个清楚的快速路径规则在Prefilter策略和您要放置特定流的时一些例外,以便他们由喷鼻息检查
    • 另外,喷鼻息检查暗示流没有被卸载到硬件(SmartNIC),但是由喷鼻息和莉娜处理

    与打开附属连接的协议的FTD行为

    有协议类似动态地协商和开放附属连接的FTP, SIP等。FTD独立地打开附属连接的针孔在2个级别:

    • 莉娜引擎
    • 喷鼻息引擎

    另外,当喷鼻息打开针孔时它发信号莉娜打开同一个针孔,万一已经不是开放的。

    使用协商的协议和您必须使用的开放附属连接请勿允许在ACP的操作和请使用信任。原因是那,因为需要检查一些数据包的喷鼻息也打开针孔(编号取决于应用程序),在您打开针孔在喷鼻息级别前。如果使用一信任操作,大多时代仅一些数据包被发送打鼾检查的引擎,并且流被卸载给在喷鼻息前的莉娜有时间检查协议协商相位和打开需要的针孔在喷鼻息级别。结果是打开针孔的莉娜,但是打鼾切附属连接(即FTD数据信道)。

    Note:对于要求的协议FTD将打开的针孔保证ACP规则匹配应用程序。
     如果规则使用一个协议端口,情况喷鼻息引擎然后不会打开一个针孔和流类似FTD数据将由FTD丢弃

    FTD规则指南

    • 请使用Prefilter策略快速路径规则大fat流和为了通过方框减小延迟
    • 请使用Prefilter分块规则必须根据L3/L4情况阻塞的流量
    • 请使用ACP信任规则是否要绕过许多喷鼻息检查,但是仍然利用功能类似标识策略, QoS, SI,应用程序检测, URL过滤
    • 放置影响防火墙性能在与使用的访问控制策略顶部这些指南的规则:
    1. 分块规则(层1-4) - Prefilter块
    2. 允许规则(层1-4) - Prefilter快速路径
    3. ACP分块规则(层1-4)
    4. 信任规定(层1-4)
    5. 分块规则(层5-7 -应用程序检测, URL过滤)
    6. 允许规则(层1-7 -应用程序检测、URL过滤、入侵策略/文件策略)
    7. 分块规则(默认规则)

    欲了解更详细的信息请检查以下文档:

    NGFW策略运算顺序

    • 避免额外的记录日志(日志起初或在末端和同时避免两个)
    • 注意规则扩展,检查规则数量在莉娜
    firepower# show access-list | include elements
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3

       

    摘要

    规则如何部署:

    允许与信任

    Note:和从动态流卸载的6.3 FTD软件代码能卸载满足另外的标准包括委托数据包要求喷鼻息检查的连接。检查从Firepower管理中心配置指南的‘卸载大连接(流)欲了解更详细的信息’部分

    相关信息

    TAC Authored

    由思科工程师提供

    • Mikis Zafeiroudis
      Cisco TAC工程师
    • Veronika Klauzova
      Cisco TAC工程师

    此文档是否有帮助?

    Feedback反馈

    联系我们

    相关的思科社区讨论

    本文档适用于以下产品