已有帐户?

  •   个性化内容
  •   您的产品和支持

需要帐户?

创建帐户

澄清Firepower威胁防御访问控制策略规则动作

下载选项

  • PDF     (2.4 MB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (2.2 MB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (1.4 MB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2018 年 12 月 12 日
文档 ID:212321
关于翻译

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    Introduction

      

    本文描述多种动作可用在Firepower威胁防御(FTD)访问控制策略(ACP)和Prefilter策略。此外,每个动作的背景操作与其交互作用一起被检查与其它功能,如流卸载和打开附属连接的协议。

    Prerequisites

    Requirements

    Cisco 建议您了解以下主题:

    • 流卸载
    • 在可适应的安全工具(ASA)工具上的信息包获取
    • 在ASA工具上的信息包跟踪程序

    Components Used

    本文档中的信息基于以下软件和硬件版本:

    • Cisco Firepower 4110威胁防御版本6.2.2 (修造81)
    • Firepower管理中心(FMC)版本6.2.2 (修造81)

    The information in this document was created from the devices in a specific lab environment.All of the devices used in this document started with a cleared (default) configuration.如果您的网络实际,请保证您了解所有命令的潜在影响。

    相关产品

    本文可以也与这些一起使用硬件和软件版本:

    • ASA5506-X, ASA5506W-X, ASA5506H-X, ASA5508-X, ASA5516-X
    • ASA5512-X, ASA5515-X, ASA5525-X, ASA5545-X, ASA5555-X
    • FPR2100, FPR4100, FPR9300
    • VMware (ESXi),亚马逊网站服务(AW),基于内核的虚拟机(KVM)
    • 综合服务路由器(ISR)路由模块
    • FTD软件版本6.1.x和以后

    Note:FPR4100和FPR9300平台只支持流Offload。

    背景信息

    FTD是包括2个主要引擎的一个统一的软件镜像:

    • 莉娜引擎
    • 喷鼻息引擎

    此图显示2个引擎如何呼应:

    • 信息包进入入口接口,并且由莉娜引擎处理
    • 如果FTD策略需要它信息包由喷鼻息引擎检查
    • 喷鼻息引擎返回一个判决(whitelist或黑名单)信息包的
    • 莉娜引擎丢弃或转发根据喷鼻息的判决的信息包

    ACP如何配置

    FTD策略在FMC被配置,当箱外(远程)时管理使用或Firepower设备管理器(FDM),当使用时本地管理。在两种情况下, ACP配置如下:

    • 作为CSM_FW_ACL_被命名的全局访问控制表(ACL)对FTD莉娜引擎
    • 在/var/sf/detection_engines/UUID/ngfw.rules文件的访问控制(AC)规则对FTD喷鼻息引擎

    Configure

    ACP可用的动作

    FTD ACP包含一个或更多规则,并且每个规则能有一这些动作和如镜像所显示:

    • 准许
    • 信任
    • 监控程序
    • 与重置的块
    • 交互块
    • 与重置的交互块

    同样地, Prefilter策略能包含一个或更多规则,并且可能行动在镜像显示:

    ACP和Prefilter策略如何呼应

    Prefilter策略在6.1版本和服务获得了介绍2个主要目的:

    1. 它允许FTD莉娜引擎检查外面IP头隧道流量的检查,当喷鼻息引擎检查内在IP头时。特别地,在隧道流量(即GRE)的情况下在Prefilter策略的规则在outerheaders总是操作,在ACP的规则总是可适用的对内部的会话时(内部头标)。隧道流量是指这些协议:
    • GRE
    • IP在IP
    • IPv6-in-IP
    • 凿船虫端口3544
    1. 它提供如镜像所显示,允许流完全地绕过喷鼻息引擎的早期的访问控制(EAC)。

    Prefilter规则在FTD配置作为L3/L4访问控制元素(ACE)如镜像所显示,和在ACP被配置的L3/L4 ACE上被放置:

    Note:Prefilter v/s ACP规则=首先配比适用。

    ACP块动作

    考虑在镜像显示的拓扑:

    方案1.早莉娜丢弃

    ACP包含使用一个L4情况的一个分块规则(目的地端口TCP 80)如镜像所显示, :

    在喷鼻息的被实施的策略:

    268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    被实施的策略在莉娜。注意规则被推进和拒绝动作:

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start (hitcnt=0) 0x6149c43c

    验证工作情况:

    当host-A (192.168.1.40)时设法对host-B (192.168.2.40)开始HTTP会话TCP请同步(SYN)信息包由FTD莉娜引擎丢弃,无需到达喷鼻息引擎或目的地:

    firepower# show capture
capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 430 bytes]
  match ip host 192.168.1.40 any
capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 0 bytes]
  match ip host 192.168.1.40 any

    firepower# show capture CAPI
   1: 11:08:09.672801  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0>
   2: 11:08:12.672435  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4063517 0>
   3: 11:08:18.672847  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4069517 0>
   4: 11:08:30.673610  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4081517 0>

    firepower# show capture CAPI packet-number 1 trace
   1: 11:08:09.672801  192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0>
...

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L4 RULE: Rule1
Additional Information:   
                             <- No Additional Information = No Snort Inspection

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    由于方案2.的丢弃打鼾判决

    ACP包含使用一个L7情况的一个分块规则(应用程序HTTP)如镜像所显示, :

    在喷鼻息的被实施的策略:

    268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (appid 676:1)

    Appid 676:1 = HTTP

    被实施的策略在莉娜。

    Note:规则被推进作为许可证动作,因为莉娜不能确定会话使用HTTP。在FTD应用程序检测机制在喷鼻息引擎。

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786

    对于使用应用程序作为情况的分块规则,一个实际信息包的跟踪表示,会话由由于的莉娜下降打鼾引擎判决。

    Note:为了喷鼻息引擎能确定应用程序它必须检查一些个信息包(依靠应用程序译码器)的通常3-10。因而一些个信息包通过FTD允许,并且他们使它到目的地。允许的信息包仍然是受根据访问策略>Advanced的闯入策略检查支配> ‘使用的闯入策略,在访问控制规则是确定的’选项前。

    验证工作情况:

    当host-A (192.168.1.40)时设法设立与host-B (192.168.2.40)的HTTP会话莉娜入口捕获显示:

    firepower# show capture CAPI

8 packets captured

   1: 11:31:19.825564  192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0>
   2: 11:31:19.826403  192.168.2.40.80 > 192.168.1.40.32790: S 1283931030:1283931030(0) ack 357753152 win 2896 <mss 1380,sackOK,timestamp 5449236 5450579>
   3: 11:31:19.826556  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236>
   4: 11:31:20.026899  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450781 5449236>
   5: 11:31:20.428887  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5451183 5449236>
 ...

    出口捕获:

    firepower# show capture CAPO

5 packets captured

   1: 11:31:19.825869  192.168.1.40.32790 > 192.168.2.40.80: S 1163713179:1163713179(0) win 2920 <mss 1380,sackOK,timestamp 5450579 0>
   2: 11:31:19.826312  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579>
   3: 11:31:23.426049  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5452836 5450579>
   4: 11:31:29.426430  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5458836 5450579>
   5: 11:31:41.427208  192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5470836 5450579>

    跟踪表示,第一个信息包(TCP SYN)由喷鼻息允许,因为应用程序检测判决是待定的:

    firepower# show capture CAPI packet-number 1 trace
   1: 11:31:19.825564  192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0>
...

Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
...
Phase: 10
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 23194, packet dispatched to next module
…
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 357753151
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268435461, pending AppID
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    同样TCP SYN/ACK信息包:

    firepower# show capture CAPO packet-number 2 trace
   2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579>
…

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 23194, using existing flow
…

Phase: 5
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, ACK, seq 1283931030, ack 357753152
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
Firewall: pending rule-matching, id 268435461, pending AppID
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: INSIDE
output-status: up
output-line-status: up
Action: allow

    喷鼻息在检查第三个信息包以后返回丢弃判决:

    firepower# show capture CAPI packet-number 3 trace
   3: 11:31:19.826556  192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236>

Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 23194, using existing flow

Phase: 5
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: TCP, ACK, seq 357753152, ack 1283931031
AppID: service HTTP (676), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html
Firewall: block rule, id 268435461, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
Action: drop
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor

    您能从FTD CLISH模式也运行system命令支持跟踪。此工具提供2个功能:

    • 显示每个信息包的喷鼻息判决,当在莉娜被发送到数据收集库(DAQ)并且被看到。DAQ是组件设置在FTD莉娜引擎和喷鼻息引擎之间
    • 准许同时运行系统支持防火墙引擎调试发现什么在喷鼻息引擎内发生

    这是输出:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]: y
Monitoring packet tracer debug messages

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 2620409313
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 New session
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, ACK, seq 3700371680, ack 2620409314
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, ACK, seq 2620409314, ack 3700371681
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0(0) -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 676, payload 0, client 686, misc 0, user 9999997, url http://192.168.2.40/128k.html, xff
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 match rule order 2, 'Rule1', action Block
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 deny action
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: block rule, 'Rule1', drop
192.168.1.40-32791 > 192.168.2.40-80 6 Snort: processed decoder alerts or actions queue, drop
192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Deleting session
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict BLACKLIST
192.168.1.40-32791 > 192.168.2.40-80 6 ===> Blocked by Firewall

    摘要

    • 配置的ACP块动作获得,因为或者许可证或在取决于规则调节的莉娜拒绝规则
    • 如果条件是L3/L4那么莉娜阻拦信息包。在TCP的情况下第一个信息包(TCP SYN)被阻拦
    • 如果条件是L7那么信息包转发到进一步检查的喷鼻息引擎。在TCP的情况下,一些个信息包通过FTD允许,直到喷鼻息作出判决。允许的信息包仍然是受根据访问策略>Advanced的闯入策略检查支配> ‘使用的闯入策略,在访问控制规则是确定的’选项前。

      

    ACP允许动作

    方案1. ACP允许动作(L3/L4情况)

    通常,您会配置一个允许规则指定另外的检验类似闯入策略和文件策略。在这里此第一个方案中,当L3/L4情况适用时,被展示允许规则的操作。

    如镜像所显示,考虑此拓扑:

    此策略适用如镜像所显示:

    在喷鼻息的被实施的策略。注意规则配置作为允许动作:

    # Start of AC rule.
268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    策略在莉娜。 

    Note:规则配置,当根本意味着重定向为进一步检查打鼾的许可证动作。

    firepower# show access-list
…
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=1) 0x641a20c3

    为了看到匹配一个允许规则的流如何由那里FTD处理请是一些个方式:

    • 验证喷鼻息统计数据
    • 使用使用系统支持请跟踪CLISH工具
    • 使用使用捕获与跟踪在莉娜和可选地与在喷鼻息引擎的捕获数据流

    莉娜捕获与喷鼻息捕获数据流:

    验证工作情况:

    清除喷鼻息统计数据, enable (event)从CLISH的系统支持跟踪并且起动从host-A (192.168.1.40)的HTTP流对host-B (192.168.2.40)。所有信息包转发到喷鼻息引擎并且由喷鼻息获得PASS判决:

    firepower# clear snort statistics
    > system support trace

Please specify an IP protocol:
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, seq 361134402
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, ACK, seq 1591434735, ack 361134403
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, ACK, seq 361134403, ack 1591434736
192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow
192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS

    喷鼻息统计数据反射上述喷鼻息PASS判决:

    > show snort statistics

Packet Counters:
  Passed Packets                                           54
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0
...

    被传递的信息包=由喷鼻息引擎检查

    方案2. ACP允许动作(L3-7情况)

    当允许规则配置如下时,相似的工作情况被看到。

    如镜像所显示的仅一个L3/L4条件:

    一个L7条件(即闯入策略、文件策略,应用程序等)如镜像所显示:

    摘要

    为了总结,这是流如何由在FP4100/9300配置的FTD处理如镜像所显示时,当允许规则被匹配:

    Note:管理输入-输出(减少)是火力机箱的Supervisor引擎。

    方案3.喷鼻息快速运送判决与准许

    有FTD喷鼻息egnine产生一个WHITELIST判决(快速运送)的特定方案,并且流的其余被卸载到莉娜引擎(在某些情况下然后被卸载对HW Accelarator - SmartNIC)。这些是:

    1. 与信任动作的访问控制策略
    2. 没有被配置的SSL策略的SSL流量
    3. FILE检测策略
    4. 智能应用程序bypass(IAB)

    以上可以形象化对:

    或者在某些情况下对:

    要点

    • 允许规则在喷鼻息在莉娜配置和准许并且允许
    • 在许多情况下,转发会话的所有信息包打鼾另外的检查的引擎

    请使用案件 

    当您由喷鼻息引擎需要L7检查例如时,您会配置一个允许规则:

    • 闯入策略
    • 文件策略

    ACP信任动作

    方案1. ACP信任动作(L3/L4情况)

    如果不要适用任何L7动作在喷鼻息级别(即闯入策略、文件策略、应用程序检测、URL过滤,安全智能等)那么在您的规则推荐使用信任动作。

    如镜像所显示,考虑拓扑:

    此策略适用如镜像所显示:

    信任规则,在FTD喷鼻息引擎配置:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6

    Note:第6是协议(TCP)。

    在FTD莉娜的规则:

    access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=0) 0x641a20c3

      

    验证工作情况:

    起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40),当您运行系统支持跟踪CLI工具时。只有转发打鼾引擎的一个信息包(TCP SYN)。喷鼻息引擎发送到莉娜根本卸载流其余对莉娜的WHITELIST判决:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages


Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 69186463
192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow
192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST

    莉娜捕获显示流哪些通过它:

    > show capture CAPI

29 packets captured

   1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0>
   2: 19:14:29.215549 192.168.2.40.80 > 192.168.1.40.32791: S 413254738:413254738(0) ack 69186464 win 2896 <mss 1380,sackOK,timestamp 3137895 3139222>
   3: 19:14:29.215687 192.168.1.40.32791 > 192.168.2.40.80: P 69186464:69186662(198) ack 413254739 win 2920 <nop,nop,timestamp 3139223 3137895>
   4: 19:14:29.216038 192.168.2.40.80 > 192.168.1.40.32791: . 413254739:413256107(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223>
   5: 19:14:29.216053 192.168.2.40.80 > 192.168.1.40.32791: P 413256107:413257475(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223>
   6: 19:14:29.216144 192.168.1.40.32791 > 192.168.2.40.80: . ack 413257475 win 2736 <nop,nop,timestamp 3139224 3137896>
   7: 19:14:29.216251 192.168.2.40.80 > 192.168.1.40.32791: P 413257475:413258843(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139224>
…

    当您跟踪第一个信息包时,您能看到WHITELIST判决:

    firepower# show capture CAPI packet-number 1 trace
   1: 19:14:29.214817  192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0>
…
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461
access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 12
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 69186463
AppID: service unknown (0), application unknown (0)
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow

    对于流(即TCP SYN/ACK)的其余您看到:

    firepower# show capture CAPO packet-number 2 trace
   2: 19:14:29.215503  192.168.2.40.80 > 192.168.1.40.32791: S 60351089:60351089(0) ack 1577779944 win 2896 <mss 1460,sackOK,timestamp 3137895 3139222>
…
Phase: 3
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found flow with id 25353, using existing flow

Phase: 4
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Verdict: (fast-forward) fast forward this flow

    喷鼻息统计数据确认此:

    > show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      1
  Blacklisted Flows                                         0
...                               0

    喷鼻息级的捕获也确认此:

    > capture-traffic

Please choose domain to capture traffic from:
  0 - management0
  1 - Router

Selection? 1

Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: -n
19:04:17.429711 IP 192.168.1.40.32791 > 192.168.2.40.80: Flags [S], seq 69186463, win 2920, options [mss 1380,sackOK,TS val 2527484 ecr 0], length 0

    提示:‘n’参数不转换IP地址成名字。

    方案2. ACP信任动作(L7情况)

    如镜像所显示,认为此ACP规则:

    规则,在FTD喷鼻息引擎配置:

    268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (appid 676:1)

    在FTD莉娜的规则:

    access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786

    验证工作情况

    起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40),当您运行系统支持跟踪CLI工具时。有发送打鼾引擎和获得PASS判决的一些个信息包(2在这种情况下),当AppID是待定的时。在喷鼻息以后确定寄WHITELIST判决给莉娜的应用程序,并且流的其余由莉娜处理:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]:
Monitoring packet tracer debug messages


Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, seq 3970971741
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, ACK, seq 18638120, ack 3970971742
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
Trace buffer and verdict reason are sent to DAQ's PDTS

Tracing enabled by Lina
192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, ACK, seq 3970971742, ack 18638121
192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service HTTP (676), application unknown (0)
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/16k.html
192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow
192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST

    莉娜捕获表示,信息包# 3有HTTP GET方法:

    firepower# show capture CAPI dump
   1: 11:24:38.895888       192.168.1.40.32836 > 192.168.2.40.80: S 3970971741:3970971741(0) win 2920 <mss 1460,sackOK,timestamp 320516154 0>
0x0000   2c33 118d 570e 00c0 a801 2800 0800 4500        ,3..W.....(...E.
0x0010   0038 c03d 0000 4006 35e2 c0a8 0128 c0a8        .8.=..@.5....(..
0x0020   0228 8044 0050 ecb0 385d 0000 0000 9002        .(.D.P..8]......
0x0030   0b68 630e 0000 0204 05b4 0402 080a 131a        .hc.............
0x0040   b03a 0000 0000                                 .:....
   2: 11:24:38.896682       192.168.2.40.80 > 192.168.1.40.32836: S 18638120:18638120(0) ack 3970971742 win 2896 <mss 1380,sackOK,timestamp 320514827 320516154>
0x0000   00c0 a801 2800 2c33 118d 570e 0800 4500        ....(.,3..W...E.
0x0010   0038 1d1e 0000 4006 d901 c0a8 0228 c0a8        .8....@......(..
0x0020   0128 0050 8044 011c 6528 ecb0 385e 9012        .(.P.D..e(..8^..
0x0030   0b50 3efb 0000 0204 0564 0402 080a 131a        .P>......d......
0x0040   ab0b 131a b03a                                 .....:
   3: 11:24:38.896849       192.168.1.40.32836 > 192.168.2.40.80: P 3970971742:3970971940(198) ack 18638121 win 2920 <nop,nop,timestamp 320516155 320514827>
0x0000   2c33 118d 570e 00c0 a801 2800 0800 4500        ,3..W.....(...E.
0x0010   00fa c03e 0000 4006 351f c0a8 0128 c0a8        ...>..@.5....(..
0x0020   0228 8044 0050 ecb0 385e 011c 6529 8018        .(.D.P..8^..e)..
0x0030   0b68 0f62 0000 0101 080a 131a b03b 131a        .h.b.........;..
0x0040   ab0b 4745 5420 2f31 366b 2e68 746d 6c20        ..GET /16k.html
0x0050   4854 5450 2f31 2e30 0d0a 486f 7374 3a20        HTTP/1.0..Host:
    ...

    喷鼻息统计数据确认在上面:

    > show snort statistics

Packet Counters:
  Passed Packets                                            2
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      1
  Blacklisted Flows                                         0
...

    在如镜像所显示,在FP4100/9300工具方案1和2的运行可以形象化的FTD :

    方案3. ACP信任动作(L3/L4同停用的SI)

    万一希望FTD运用安全智能(SI)检查于SI已经是启用的在ACP级别,并且的所有流您能指定SI来源(TALOS、结转,列表等)。另一方面,万一要禁用它,您禁用网络的URL的SI全局每个ACP, DNS的SI和SI。网络和URL的SI是失效的如镜像所显示:

    在这种情况下信任规则在莉娜被部署作为充分的信任:

    > show access-list
    ...    
access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1
access-list CSM_FW_ACL_ line 10 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6

    Note:和从6.2.2 FTD技术支持TID。TID工作用方式类似于SI,但是,万一SI是失效的, “不强制’信息包重定向打鼾TID检查的引擎。

    验证工作情况

    起动从host-A (192.168.1.40)的HTTP会话对host-B (192.168.2.40)。因为这FP4100和支持流在硬件方面卸载这些事发生:

    • 一些个信息包通过FTD莉娜引擎转发,并且流的其余被卸载对SmartNIC (HW加速器)
    • 没有转发信息包打鼾引擎

    FTD莉娜连接表显示标志位“o’哪意味着流被卸载了对HW。并且请注释缺乏“N’标志位。这根本不意味着‘喷鼻息重定向’ :

    firepower# show conn
1 in use, 15 most used

TCP OUTSIDE  192.168.2.40:80 INSIDE  192.168.1.40:32809, idle 0:00:00, bytes 949584, flags UIOo

    喷鼻息统计数据显示仅操作日志事件起初和在会话结束时:

    firepower# show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0

Miscellaneous Counters:
  Start-of-Flow events                                      1
  End-of-Flow events                                        1

    FTD莉娜日志表示,每次会话的有2流(一每个每个方向)被卸载对HW :

    Sep 27 2017 20:16:05: %ASA-7-609001: Built local-host INSIDE:192.168.1.40
Sep 27 2017 20:16:05: %ASA-6-302013: Built inbound TCP connection 25384 for INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809)
Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809)
Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Sep 27 2017 20:16:05: %ASA-6-302014: Teardown TCP connection 25384 for INSIDE:192.168.1.40/32809 to OUTSIDE:192.168.2.40/80 duration 0:00:00 bytes 1055048 TCP FINs
Sep 27 2017 20:16:05: %ASA-7-609002: Teardown local-host INSIDE:192.168.1.40 duration 0:00:00

    在如镜像所显示,在FP4100/9300工具方案1和2的运行可以形象化的FTD :

    请使用案件

    • 您必须使用信任动作,当您希望仅一些个信息包由喷鼻息引擎(即应用程序检测, SI检查)时和将被卸载的流的其余检查对莉娜引擎
    • 如果使用在FP4100/9300的FTD并且希望流完全地绕过喷鼻息检查然后认为与快速路径动作的Prefilter规则(请参阅相关请区分在本文)
    • 请勿使用信任动作开放附属连接的协议(即FTP, SIP等),但是使用提供动作(请参阅在本文的相关部分)

    Prefilter策略块动作

    如镜像所显示,考虑拓扑:

    如镜像所显示,也考虑策略:

    这是在FTD喷鼻息引擎(ngfw.rules文件)的被实施的策略:

    # Start of tunnel and priority rules.
# These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id.
268437506 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (tunnel -1

    在莉娜:

    access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1
access-list CSM_FW_ACL_ line 3 advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start (hitcnt=0) 0x76476240

    当您跟踪一个虚拟信息包时,表示,信息包由莉娜丢弃和从未转发打鼾:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
…
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: DROP
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start
access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: Prefilter1
Additional Information:

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

    喷鼻息统计数据显示:

    firepower# show snort statistics

Packet Counters:
  Passed Packets                                            0
  Blocked Packets                                           0
  Injected Packets                                          0
  Packets bypassed (Snort Down)                             0
  Packets bypassed (Snort Busy)                             0

Flow Counters:
  Fast-Forwarded Flows                                      0
  Blacklisted Flows                                         0

Miscellaneous Counters:
  Start-of-Flow events                                      0
  End-of-Flow events                                        0
  Denied flow events                                        1

    莉娜ASP丢包显示:

    firepower# show asp drop

Frame drop:
  Flow is denied by configured rule (acl-drop)                1

    请使用案件

    当您要阻塞数据流根据L3/L4情况和,不用需要执行所有喷鼻息检查到数据流时,您能使用Prefilter分块规则。

    Prefilter策略快速路径动作

    如镜像所显示,认为Prefilter策略规则:

    这是在FTD喷鼻息引擎的被实施的策略:

    268437506 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6  (tunnel -1)

    在FTD莉娜中:

    access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter
access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1
access-list CSM_FW_ACL_ line 3 advanced trust tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268437506 event-log flow-end (hitcnt=0) 0xf3410b6f

    验证工作情况

    当host-A (192.168.1.40)时设法对host-B (192.168.2.40)开始HTTP会话一些个信息包通过莉娜,并且其余被卸载对SmartNIC。在这种情况下“系统支持跟踪’有防火墙引擎调试功能显示:

    > system support trace

Please specify an IP protocol: tcp
Please specify a client IP address: 192.168.1.40
Please specify a client port:
Please specify a server IP address: 192.168.2.40
Please specify a server port:
Enable firewall-engine-debug too? [n]: y
Monitoring packet tracer debug messages

192.168.1.40-32840 > 192.168.2.40-80 6 AS 1 I 8 Got end of flow event from hardware with flags 04000000


    莉娜日志显示被卸载的流:

    Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host INSIDE:192.168.1.40
Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host OUTSIDE:192.168.2.40
Oct 01 2017 14:36:51: %ASA-6-302013: Built inbound TCP connection 966 for INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80)
Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32840 (192.168.1.40/32840)


    莉娜捕获显示经历8个的信息包:

    firepower# show capture
capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 3908 bytes]
  match ip host 192.168.1.40 host 192.168.2.40
capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 3908 bytes]
  match ip host 192.168.1.40 host 192.168.2.40

    firepower# show capture CAPI

8 packets captured

   1: 14:45:32.700021  192.168.1.40.32842 > 192.168.2.40.80: S 3195173118:3195173118(0) win 2920 <mss 1460,sackOK,timestamp 332569060 0>
   2: 14:45:32.700372  192.168.2.40.80 > 192.168.1.40.32842: S 184794124:184794124(0) ack 3195173119 win 2896 <mss 1380,sackOK,timestamp 332567732 332569060>
   3: 14:45:32.700540  192.168.1.40.32842 > 192.168.2.40.80: P 3195173119:3195173317(198) ack 184794125 win 2920 <nop,nop,timestamp 332569060 332567732>
   4: 14:45:32.700876  192.168.2.40.80 > 192.168.1.40.32842: . 184794125:184795493(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060>
   5: 14:45:32.700922  192.168.2.40.80 > 192.168.1.40.32842: P 184795493:184796861(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060>
   6: 14:45:32.701425  192.168.2.40.80 > 192.168.1.40.32842: FP 184810541:184810851(310) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569061>
   7: 14:45:32.701532  192.168.1.40.32842 > 192.168.2.40.80: F 3195173317:3195173317(0) ack 184810852 win 2736 <nop,nop,timestamp 332569061 332567733>
   8: 14:45:32.701639  192.168.2.40.80 > 192.168.1.40.32842: . ack 3195173318 win 2697 <nop,nop,timestamp 332567734 332569061>


    FTD流卸载统计数据显示22个信息包被卸载对HW :

    firepower# show flow-offload statistics
 Packet stats of port : 0
        Tx Packet count                  :               22
        Rx Packet count                  :               22
        Dropped Packet count             :                0
        VNIC transmitted packet          :               22
        VNIC transmitted bytes           :            15308
        VNIC Dropped packets             :                0
        VNIC erroneous received          :                0
        VNIC CRC errors                  :                0
        VNIC transmit failed             :                0
        VNIC multicast received          :                0


    为了看到在通过FTD的FP4100/9300的所有信息包(被卸载+莉娜)如镜像所显示,那里是需要enable (event)捕获在机箱平实:

    机箱底板捕获显示两个方向。由于FXO捕获体系结构(每个方向2捕获点)如镜像所显示,每个信息包两次显示:

    基于在上面:

    • 信息包总数通过FTD :30
    • 信息包通过FTD莉娜:8
    • 信息包被卸载对SmartNIC HW加速器:22

    请使用案件 

    • 当您要完全地绕过喷鼻息检查时,请使用Prefilter快速路径动作。您典型地要为您委托类似备份的大fat流,数据库转移等执行此
    • 在FP4100/9300工具上快速路径动作触发器流卸载,并且仅一些个信息包通过FTD莉娜引擎。其余由减少潜伏期的SmartNIC处理

    Prefilter策略分析动作

    方案1. Prefilter分析与ACP分块规则

    考虑如镜像所显示,包含一个分析规则的Prefilter策略:

    ACP包含设置阻塞所有数据流如镜像所显示,仅的默认规则:

    这是在FTD喷鼻息引擎(ngfw.rules文件)的被实施的策略:

    # Start of tunnel and priority rules.
# These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id.
268435460 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any  (tunnel -1)
268435459 allow any any  1025-65535 any any  3544 any 17  (tunnel -1)
268435459 allow any any  3544 any any  1025-65535 any 17  (tunnel -1)
268435459 allow any any  any any any  any any 47  (tunnel -1)
268435459 allow any any  any any any  any any 41  (tunnel -1)
268435459 allow any any  any any any  any any 4  (tunnel -1)
# End of tunnel and priority rules.
# Start of AC rule.
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    这是在FTD莉娜引擎的被实施的策略:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=0) 0xb788b786

    验证工作情况

    为了测试与信息包跟踪程序,它表示,信息包由莉娜允许,转发打鼾引擎(由于允许动作),并且喷鼻息引擎返回判决,因为从AC的默认动作被匹配。

    Note:喷鼻息不评估根据隧道规则的数据流

    当您跟踪信息包时显示同样:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

…
Phase: 14
Type: SNORT
Subtype:
Result: DROP
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: block rule, id 268435458, drop
Snort: processed decoder alerts or actions queue, drop
NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall
Snort Verdict: (black-list) black list this flow

Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: drop
Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor

    方案2. Prefilter分析与ACP允许规则

    如果目标是允许信息包通过FTD横断,有需要增加在ACP的一个规则。动作可以是承认或委托哪些取决于目标(即,如果要适用L7检查您必须使用允许动作)如镜像所显示, :

    在FTD喷鼻息引擎的被实施的策略:

    # Start of AC rule.
268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    在莉娜引擎中:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=1) 0xb788b786

    验证工作情况

    信息包跟踪程序表示,信息包在莉娜匹配规则268435460268435461在喷鼻息引擎:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: allow rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    方案3. Prefilter分析与ACP信任规则

    万一ACP包含信任规则然后如镜像所显示,您有此:

    喷鼻息:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    莉娜:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=2) 0xb788b786

    切记,因为默认情况下SI被启用,信任规则配置作为对莉娜的许可证动作那么至少一些个信息包重定向打鼾检查的引擎。

    验证工作情况

    信息包跟踪程序表示,喷鼻息引擎Whitelists根本卸载对莉娜的信息包其余流:

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
…
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow

    方案4. Prefilter分析与ACP信任规则

    在此方案中SI手工被禁用。

    规则在喷鼻息配置如下:

    # Start of AC rule.
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any
268435458 deny any any  any any any  any any any  (log dcforward flowstart)
# End of AC rule.

    在莉娜规则配置作为充分的信任。信息包必须虽则匹配许可证规则(请参阅ACE HIT计数)是配置的由于分析Prefilter规则,并且信息包由喷鼻息引擎检查:

    access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=3) 0xb788b786
...
access-list CSM_FW_ACL_ line 13 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6
...
access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268435458 event-log flow-start (hitcnt=0) 0x97aa021a

    验证工作情况

    firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40
...
Phase: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460
access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached
...
Phase: 14
Type: SNORT
Subtype:
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: ICMP
AppID: service ICMP (3501), application unknown (0)
Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0
Firewall: trust/fastpath rule, id 268435461, allow
NAP id 1, IPS id 0, Verdict WHITELIST
Snort Verdict: (fast-forward) fast forward this flow
…
Result:
input-interface: INSIDE
input-status: up
input-line-status: up
output-interface: OUTSIDE
output-status: up
output-line-status: up
Action: allow


    要点

    • 分析动作在莉娜引擎配置,许可证规则。这有作为效果将转发的信息包打鼾检查的引擎
    • 分析动作不配置在喷鼻息引擎,因此您的任何规则需要保证您配置在喷鼻息配比的ACP的一个规则
    • 它取决于在喷鼻息引擎配置的ACP规则(允许快速路径)无或所有或者一些个信息包由喷鼻息允许

    请使用案件

    • analyze动作用例是,当您安排一个清楚的快速路径规则在Prefilter策略和您要放置特定流的时一些例外,以便他们由喷鼻息检查
    • 另外,喷鼻息检查暗示流没有被卸载到硬件(SmartNIC),但是由喷鼻息和莉娜处理

    与打开附属连接的协议的FTD工作情况

    有协议类似动态地协商和开放附属连接的FTP, SIP等。FTD独立地打开附属连接的针孔在2个级别:

    • 莉娜引擎
    • 喷鼻息引擎

    另外,当喷鼻息打开针孔时它发信号莉娜打开同一个针孔,万一已经不是开放的。

    使用协商的协议和您必须使用的开放附属连接请勿允许在ACP的动作和请使用信任。原因是那,因为需要检查一些个信息包的喷鼻息也打开针孔(编号取决于应用程序),在您打开针孔在喷鼻息级别前。如果使用信任动作,大多时代仅一些个信息包发送打鼾检查的引擎,并且流被卸载给在喷鼻息前的莉娜有时间检查协议协商阶段和打开需要的针孔在喷鼻息级别。结果是打开针孔的莉娜,但是打鼾切附属连接(即FTD数据信道)。

    Note:对于要求的协议FTD将打开的针孔保证ACP规则匹配一个应用程序。
     如果规则使用一个协议端口,情况喷鼻息引擎然后不会打开一个针孔和流类似FTD数据将由FTD下降

    FTD规则指南

    • 请使用Prefilter策略快速路径规则大fat流和为了通过机箱减少潜伏期
    • 请使用Prefilter分块规则必须根据L3/L4情况阻塞的数据流
    • 请使用ACP信任规则,如果要绕过许多喷鼻息检查,但是仍然利用功能类似身份策略, QoS, SI,应用程序检测, URL过滤
    • 放置更加特定的规则在与使用的访问控制策略顶部这些指南

       a. L3/L4在顶层的规则

       b. L7规则下面(应用程序检测, URL过滤等)

       c. 要求先进的喷鼻息检查的规则(闯入策略/文件策略)在策略的底部

    • 避免额外的记录(日志起初或在末端和同时避免两个)
    • 注意规则扩展,检查规则的数量在莉娜
    firepower# show access-list | include elements
access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3

       

    摘要

    规则如何配置:

    允许与信任

    Related Information

    TAC Authored

    由思科工程师提供

    • Mikis Zafeiroudis
      Cisco TAC工程师
    • Veronika Klauzova
      Cisco TAC工程师

    此文档是否有帮助?

    Feedback反馈

    联系我们

    相关的思科社区讨论

    本文档适用于以下产品

    关于我们
    联系我们
    加入我们