思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。
本文描述多种操作可用在Firepower威胁防御(FTD)访问控制策略(ACP)和Prefilter策略。此外,每操作的背景操作与其交互作用一起被检查与其它特性,如流卸载和打开附属连接的协议。
Cisco 建议您了解以下主题:
本文档中的信息基于以下软件和硬件版本:
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
本文可以也与这些硬件和软件版本一起使用:
Note:FPR4100和FPR9300平台只支持流Offload。
FTD是包括2个主要引擎的一个统一的软件镜像:
此图显示2个引擎如何呼应:
FTD策略在FMC配置,当箱外(远程)时管理使用或Firepower设备管理器(FDM),当使用时本地管理。在两种情况下, ACP部署如下:
FTD ACP包含一个或更多规则,并且每个规则能有一这些操作和如镜像所显示:
同样地, Prefilter策略能包含一个或更多规则,并且可能行动在镜像显示:
Prefilter策略在6.1版本和服务获得了介绍2个主要目的:
Prefilter规则在FTD部署作为L3/L4访问控制元素(ACE)如镜像所显示,和在ACP配置的L3/L4 ACE上被放置:
Note:Prefilter v/s ACP规则=首先配比应用。
考虑在镜像显示的拓扑:
ACP包含使用一个L4情况的分块规则(目的地端口TCP 80)如镜像所显示, :
在喷鼻息的被实施的策略:
268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
被实施的策略在莉娜。注意规则推送和拒绝操作:
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start (hitcnt=0) 0x6149c43c
验证行为:
当host-a (192.168.1.40)时设法打开HTTP会话到host-b (192.168.2.40) TCP请同步(SYN)数据包乘FTD莉娜引擎丢弃,无需到达喷鼻息引擎或目的地:
firepower# show capture capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 430 bytes] match ip host 192.168.1.40 any capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 0 bytes] match ip host 192.168.1.40 any
firepower# show capture CAPI 1: 11:08:09.672801 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0> 2: 11:08:12.672435 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4063517 0> 3: 11:08:18.672847 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4069517 0> 4: 11:08:30.673610 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4081517 0>
firepower# show capture CAPI packet-number 1 trace 1: 11:08:09.672801 192.168.1.40.32789 > 192.168.2.40.80: S 3249160620:3249160620(0) win 2920 <mss 1460,sackOK,timestamp 4060517 0> ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced deny tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 event-log flow-start access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435461: L4 RULE: Rule1 Additional Information: <- No Additional Information = No Snort Inspection Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
ACP包含使用一个L7情况的分块规则(应用程序HTTP)如镜像所显示, :
在喷鼻息的被实施的策略:
268435461 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any (appid 676:1)
Appid 676:1 = HTTP
被实施的策略在莉娜。
Note:规则推送作为permit操作,因为莉娜不能确定会话使用HTTP。在FTD应用程序检测机制在喷鼻息引擎方面。
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786
对于使用应用程序作为情况的分块规则,实际数据包的trace显示会话由由于的莉娜丢弃打鼾引擎判决。
Note:为了喷鼻息引擎能确定应用程序它必须检查一些数据包(依靠应用程序编码器)的通常3-10。因而一些数据包通过FTD允许,并且他们使它到目的地。允许数据包仍然是受根据访问策略>Advanced的入侵策略检查支配> ‘使用的入侵策略,在访问控制规则是确定的’选项前。
验证行为:
当host-a (192.168.1.40)时设法设立与host-b的HTTP会话(192.168.2.40)莉娜入口捕获显示:
firepower# show capture CAPI 8 packets captured 1: 11:31:19.825564 192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0> 2: 11:31:19.826403 192.168.2.40.80 > 192.168.1.40.32790: S 1283931030:1283931030(0) ack 357753152 win 2896 <mss 1380,sackOK,timestamp 5449236 5450579> 3: 11:31:19.826556 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236> 4: 11:31:20.026899 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450781 5449236> 5: 11:31:20.428887 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5451183 5449236> ...
出口捕获:
firepower# show capture CAPO 5 packets captured 1: 11:31:19.825869 192.168.1.40.32790 > 192.168.2.40.80: S 1163713179:1163713179(0) win 2920 <mss 1380,sackOK,timestamp 5450579 0> 2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579> 3: 11:31:23.426049 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5452836 5450579> 4: 11:31:29.426430 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5458836 5450579> 5: 11:31:41.427208 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5470836 5450579>
Trace显示第一数据包(TCP SYN)由喷鼻息允许,因为应用程序检测判决是待定的:
firepower# show capture CAPI packet-number 1 trace 1: 11:31:19.825564 192.168.1.40.32790 > 192.168.2.40.80: S 357753151:357753151(0) win 2920 <mss 1460,sackOK,timestamp 5450579 0> ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached ... Phase: 10 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 23194, packet dispatched to next module … Phase: 12 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, seq 357753151 AppID: service unknown (0), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 Firewall: pending rule-matching, id 268435461, pending AppID NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet Result: input-interface: OUTSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
同样TCP SYN/ACK数据包:
firepower# show capture CAPO packet-number 2 trace 2: 11:31:19.826312 192.168.2.40.80 > 192.168.1.40.32790: S 354801457:354801457(0) ack 1163713180 win 2896 <mss 1460,sackOK,timestamp 5449236 5450579> … Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 23194, using existing flow … Phase: 5 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, ACK, seq 1283931030, ack 357753152 AppID: service unknown (0), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 Firewall: pending rule-matching, id 268435461, pending AppID NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: INSIDE output-status: up output-line-status: up Action: allow
喷鼻息在检查第三数据包以后返回丢弃判决:
firepower# show capture CAPI packet-number 3 trace 3: 11:31:19.826556 192.168.1.40.32790 > 192.168.2.40.80: P 357753152:357753351(199) ack 1283931031 win 2920 <nop,nop,timestamp 5450580 5449236> Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 23194, using existing flow Phase: 5 Type: SNORT Subtype: Result: DROP Config: Additional Information: Snort Trace: Packet: TCP, ACK, seq 357753152, ack 1283931031 AppID: service HTTP (676), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html Firewall: block rule, id 268435461, drop Snort: processed decoder alerts or actions queue, drop NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall Snort Verdict: (black-list) black list this flow Result: input-interface: INSIDE input-status: up input-line-status: up Action: drop Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
您能从FTD CLISH模式也运行system命令支持trace。此工具提供2个功能:
这是输出:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: y Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 2620409313 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 New session 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, ACK, seq 3700371680, ack 2620409314 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 pending rule order 2, 'Rule1', AppID 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, ACK, seq 2620409314, ack 3700371681 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Starting with minimum 2, 'Rule1', and SrcZone first with zones -1 -> -1, geo 0(0) -> 0, vlan 0, inline sgt tag: untagged, ISE sgt id: 0, svc 676, payload 0, client 686, misc 0, user 9999997, url http://192.168.2.40/128k.html, xff 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/128k.html 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 match rule order 2, 'Rule1', action Block 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 deny action 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: block rule, 'Rule1', drop 192.168.1.40-32791 > 192.168.2.40-80 6 Snort: processed decoder alerts or actions queue, drop 192.168.1.40-32791 > 192.168.2.40-80 6 AS 1 I 0 Deleting session 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict BLACKLIST 192.168.1.40-32791 > 192.168.2.40-80 6 ===> Blocked by Firewall
摘要
通常,您会配置允许规则指定另外的检验类似入侵策略和文件策略。在此处此第一个方案中,当L3/L4情况应用时,被展示允许规则的操作。
如镜像所显示,考虑此拓扑:
如镜像所显示,此策略应用:
在喷鼻息的被实施的策略。注意规则部署作为允许操作:
# Start of AC rule. 268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
策略在莉娜。
Note:规则部署,当根本含义重定向为进一步检查打鼾的permit操作。
firepower# show access-list … access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L7 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=1) 0x641a20c3
为了看到匹配允许规则的流如何由那里FTD处理请是一些个方式:
莉娜捕获与喷鼻息捕获流量:
验证行为:
清除喷鼻息统计信息,启用从CLISH的系统支持trace并且启动从host-a的一个HTTP流(192.168.1.40)对host-b (192.168.2.40)。所有数据包转发到喷鼻息引擎并且由喷鼻息获得PASS判决:
firepower# clear snort statistics
> system support trace Please specify an IP protocol: Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, seq 361134402 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, SYN, ACK, seq 1591434735, ack 361134403 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32797 6 Packet: TCP, ACK, seq 361134403, ack 1591434736 192.168.2.40-80 - 192.168.1.40-32797 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32797 > 192.168.2.40-80 6 Firewall: allow rule, 'Rule1', allow 192.168.1.40-32797 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS
喷鼻息统计信息反射上述喷鼻息PASS判决:
> show snort statistics Packet Counters: Passed Packets 54 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 ...
合格数据包=乘喷鼻息引擎检查
当允许规则部署如下时,相似的行为被看到。
如镜像所显示的仅一个L3/L4条件:
一个L7条件(即入侵策略、文件策略,应用程序等)如镜像所显示:
摘要
为了汇总,这是流如何由在FP4100/9300部署的FTD处理如镜像所显示时,当允许规则匹配:
Note:管理输入-输出(减少)是火力机箱的Supervisor引擎。
有FTD喷鼻息引擎给WHITELIST判决(快速转发)的特定方案,并且流的其余被卸载到莉娜引擎(在某些情况下然后被卸载对HW Accelarator - SmartNIC)。即:
以上可以形象化对:
或者在某些情况下对:
要点
请使用案件
当您乘喷鼻息引擎需要L7检查例如时,您会配置允许规则:
如果不要运用任何L7操作在喷鼻息级别(即入侵策略、文件策略、应用程序检测、URL过滤,安全智能等)那么在您的规则推荐使用信任操作。
如镜像所显示,考虑拓扑:
如镜像所显示,此策略应用:
信任规则,在FTD喷鼻息引擎方面部署:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6
Note:第6是协议(TCP)。
在FTD莉娜的规则:
access-list CSM_FW_ACL_ line 10 advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 (hitcnt=0) 0x641a20c3
验证行为:
启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40),当您运行系统支持trace CLI工具时。只有转发打鼾引擎的一数据包(TCP SYN)。喷鼻息引擎发送给莉娜根本卸载流其余对莉娜的WHITELIST判决:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32791 6 Packet: TCP, SYN, seq 69186463 192.168.2.40-80 - 192.168.1.40-32791 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32791 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow 192.168.1.40-32791 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST
莉娜捕获显示流哪些通过它:
> show capture CAPI 29 packets captured 1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0> 2: 19:14:29.215549 192.168.2.40.80 > 192.168.1.40.32791: S 413254738:413254738(0) ack 69186464 win 2896 <mss 1380,sackOK,timestamp 3137895 3139222> 3: 19:14:29.215687 192.168.1.40.32791 > 192.168.2.40.80: P 69186464:69186662(198) ack 413254739 win 2920 <nop,nop,timestamp 3139223 3137895> 4: 19:14:29.216038 192.168.2.40.80 > 192.168.1.40.32791: . 413254739:413256107(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223> 5: 19:14:29.216053 192.168.2.40.80 > 192.168.1.40.32791: P 413256107:413257475(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139223> 6: 19:14:29.216144 192.168.1.40.32791 > 192.168.2.40.80: . ack 413257475 win 2736 <nop,nop,timestamp 3139224 3137896> 7: 19:14:29.216251 192.168.2.40.80 > 192.168.1.40.32791: P 413257475:413258843(1368) ack 69186662 win 2698 <nop,nop,timestamp 3137896 3139224> …
当您跟踪第一数据包时,您能看到WHITELIST判决:
firepower# show capture CAPI packet-number 1 trace 1: 19:14:29.214817 192.168.1.40.32791 > 192.168.2.40.80: S 69186463:69186463(0) win 2920 <mss 1460,sackOK,timestamp 3139222 0> … Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268435461 access-list CSM_FW_ACL_ remark rule-id 268435461: ACCESS POLICY: ACP1 - Mandatory access-list CSM_FW_ACL_ remark rule-id 268435461: L7 RULE: Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 12 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: TCP, SYN, seq 69186463 AppID: service unknown (0), application unknown (0) Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow
对于流(即TCP SYN/ACK)的其余您看到:
firepower# show capture CAPO packet-number 2 trace 2: 19:14:29.215503 192.168.2.40.80 > 192.168.1.40.32791: S 60351089:60351089(0) ack 1577779944 win 2896 <mss 1460,sackOK,timestamp 3137895 3139222> … Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 25353, using existing flow Phase: 4 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Verdict: (fast-forward) fast forward this flow
喷鼻息统计信息确认此:
> show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 1 Blacklisted Flows 0 ... 0
喷鼻息级别捕获也确认此:
> capture-traffic Please choose domain to capture traffic from: 0 - management0 1 - Router Selection? 1 Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: -n 19:04:17.429711 IP 192.168.1.40.32791 > 192.168.2.40.80: Flags [S], seq 69186463, win 2920, options [mss 1380,sackOK,TS val 2527484 ecr 0], length 0
提示:‘n’参数不转换IP地址对名称。
如镜像所显示,认为此ACP规则:
规则,在FTD喷鼻息引擎方面部署:
268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any (appid 676:1)
在FTD莉娜的规则:
access-list CSM_FW_ACL_ line 10 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 (hitcnt=0) 0xb788b786
验证行为
启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40),当您运行系统支持trace CLI工具时。有被发送打鼾引擎和获得PASS判决的一些数据包(2在这种情况下),当AppID是待定的时。在喷鼻息以后确定寄WHITELIST判决给莉娜的应用程序,并且流的其余由莉娜处理:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: Monitoring packet tracer debug messages Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, seq 3970971741 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, SYN, ACK, seq 18638120, ack 3970971742 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service unknown (0), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 0, icmpCode 0 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: pending rule-matching, 'Rule1', pending AppID 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict PASS Trace buffer and verdict reason are sent to DAQ's PDTS Tracing enabled by Lina 192.168.2.40-80 - 192.168.1.40-32836 6 Packet: TCP, ACK, seq 3970971742, ack 18638121 192.168.2.40-80 - 192.168.1.40-32836 6 AppID: service HTTP (676), application unknown (0) 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: starting rule matching, zone -1 -> -1, geo 0(0) -> 0, vlan 0, sgt 65535, user 9999997, url http://192.168.2.40/16k.html 192.168.1.40-32836 > 192.168.2.40-80 6 Firewall: trust/fastpath rule, 'Rule1', allow 192.168.1.40-32836 > 192.168.2.40-80 6 NAP id 1, IPS id 0, Verdict WHITELIST
莉娜捕获显示数据包# 3有HTTP GET方法:
firepower# show capture CAPI dump 1: 11:24:38.895888 192.168.1.40.32836 > 192.168.2.40.80: S 3970971741:3970971741(0) win 2920 <mss 1460,sackOK,timestamp 320516154 0> 0x0000 2c33 118d 570e 00c0 a801 2800 0800 4500 ,3..W.....(...E. 0x0010 0038 c03d 0000 4006 35e2 c0a8 0128 c0a8 .8.=..@.5....(.. 0x0020 0228 8044 0050 ecb0 385d 0000 0000 9002 .(.D.P..8]...... 0x0030 0b68 630e 0000 0204 05b4 0402 080a 131a .hc............. 0x0040 b03a 0000 0000 .:.... 2: 11:24:38.896682 192.168.2.40.80 > 192.168.1.40.32836: S 18638120:18638120(0) ack 3970971742 win 2896 <mss 1380,sackOK,timestamp 320514827 320516154> 0x0000 00c0 a801 2800 2c33 118d 570e 0800 4500 ....(.,3..W...E. 0x0010 0038 1d1e 0000 4006 d901 c0a8 0228 c0a8 .8....@......(.. 0x0020 0128 0050 8044 011c 6528 ecb0 385e 9012 .(.P.D..e(..8^.. 0x0030 0b50 3efb 0000 0204 0564 0402 080a 131a .P>......d...... 0x0040 ab0b 131a b03a .....: 3: 11:24:38.896849 192.168.1.40.32836 > 192.168.2.40.80: P 3970971742:3970971940(198) ack 18638121 win 2920 <nop,nop,timestamp 320516155 320514827> 0x0000 2c33 118d 570e 00c0 a801 2800 0800 4500 ,3..W.....(...E. 0x0010 00fa c03e 0000 4006 351f c0a8 0128 c0a8 ...>..@.5....(.. 0x0020 0228 8044 0050 ecb0 385e 011c 6529 8018 .(.D.P..8^..e).. 0x0030 0b68 0f62 0000 0101 080a 131a b03b 131a .h.b.........;.. 0x0040 ab0b 4745 5420 2f31 366b 2e68 746d 6c20 ..GET /16k.html 0x0050 4854 5450 2f31 2e30 0d0a 486f 7374 3a20 HTTP/1.0..Host:
...
喷鼻息统计信息确认在上面:
> show snort statistics Packet Counters: Passed Packets 2 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 1 Blacklisted Flows 0 ...
在如镜像所显示,在FP4100/9300设备方案1和2的运行可以形象化的FTD :
万一希望FTD运用安全智能(SI)检查到SI已经启用在ACP级别,并且的所有流您能指定SI来源(TALOS、源,列表等)。另一方面,万一要禁用它,您禁用网络的URL的SI全局每ACP, DNS的SI和SI。如镜像所显示,网络和URL的SI禁用:
在这种情况下信任规则在莉娜被部署作为全双工信任:
> show access-list
... access-list CSM_FW_ACL_ line 9 remark rule-id 268435461: L4 RULE: Rule1 access-list CSM_FW_ACL_ line 10 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6
Note:和从6.2.2 FTD支持TID。TID工作用方式类似于SI,然而,万一SI禁用,它“不强制’数据包重定向打鼾TID检查的引擎。
验证行为
启动从host-a的HTTP会话(192.168.1.40)对host-b (192.168.2.40)。因为这FP4100和支持流请卸载在这些事发生的硬件方面:
FTD莉娜连接表显示标志“o’哪含义流被卸载了对HW。并且请注释缺乏“N’标志。这根本不含义‘喷鼻息重定向’ :
firepower# show conn 1 in use, 15 most used TCP OUTSIDE 192.168.2.40:80 INSIDE 192.168.1.40:32809, idle 0:00:00, bytes 949584, flags UIOo
喷鼻息统计信息显示仅操作日志事件起初和在会话结束时:
firepower# show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 Miscellaneous Counters: Start-of-Flow events 1 End-of-Flow events 1
FTD莉娜日志为那里每会话显示那是2个流(一每个每个方向)被卸载对HW :
Sep 27 2017 20:16:05: %ASA-7-609001: Built local-host INSIDE:192.168.1.40 Sep 27 2017 20:16:05: %ASA-6-302013: Built inbound TCP connection 25384 for INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-805001: Offloaded TCP Flow for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809) Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32809 (192.168.1.40/32809) Sep 27 2017 20:16:05: %ASA-6-805002: TCP Flow is no longer offloaded for connection 25384 from INSIDE:192.168.1.40/32809 (192.168.1.40/32809) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Sep 27 2017 20:16:05: %ASA-6-302014: Teardown TCP connection 25384 for INSIDE:192.168.1.40/32809 to OUTSIDE:192.168.2.40/80 duration 0:00:00 bytes 1055048 TCP FINs Sep 27 2017 20:16:05: %ASA-7-609002: Teardown local-host INSIDE:192.168.1.40 duration 0:00:00
在如镜像所显示,在FP4100/9300设备方案1和2的运行可以形象化的FTD :
请使用案件
如镜像所显示,考虑拓扑:
如镜像所显示,也考虑策略:
这是被实施的策略在FTD喷鼻息引擎(ngfw.rules文件)方面:
# Start of tunnel and priority rules. # These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id. 268437506 deny any 192.168.1.40 32 any any 192.168.2.40 32 any any any (tunnel -1
在莉娜:
access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1 access-list CSM_FW_ACL_ line 3 advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start (hitcnt=0) 0x76476240
当您跟踪一虚拟数据包时,显示数据包由莉娜丢弃和从未转发打鼾:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 … Phase: 4 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced deny ip host 192.168.1.40 host 192.168.2.40 rule-id 268437506 event-log flow-start access-list CSM_FW_ACL_ remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ remark rule-id 268437506: RULE: Prefilter1 Additional Information: Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
喷鼻息统计信息显示:
firepower# show snort statistics Packet Counters: Passed Packets 0 Blocked Packets 0 Injected Packets 0 Packets bypassed (Snort Down) 0 Packets bypassed (Snort Busy) 0 Flow Counters: Fast-Forwarded Flows 0 Blacklisted Flows 0 Miscellaneous Counters: Start-of-Flow events 0 End-of-Flow events 0 Denied flow events 1
莉娜ASP丢包显示:
firepower# show asp drop Frame drop: Flow is denied by configured rule (acl-drop) 1
请使用案件
当您要阻塞流量根据L3/L4情况和,不用需要执行所有喷鼻息检查到流量时,您能使用Prefilter分块规则。
如镜像所显示,认为Prefilter策略规则:
这是被实施的策略在FTD喷鼻息引擎方面:
268437506 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 80 any 6 (tunnel -1)
在FTD莉娜中:
access-list CSM_FW_ACL_ line 1 remark rule-id 268437506: PREFILTER POLICY: FTD_Prefilter access-list CSM_FW_ACL_ line 2 remark rule-id 268437506: RULE: Prefilter1 access-list CSM_FW_ACL_ line 3 advanced trust tcp host 192.168.1.40 host 192.168.2.40 eq www rule-id 268437506 event-log flow-end (hitcnt=0) 0xf3410b6f
验证行为
当host-a (192.168.1.40)时设法打开HTTP会话到host-b (192.168.2.40)一些数据包通过莉娜,并且其余被卸载对SmartNIC。在这种情况下“系统支持trace’与启用的防火墙引擎调试显示:
> system support trace Please specify an IP protocol: tcp Please specify a client IP address: 192.168.1.40 Please specify a client port: Please specify a server IP address: 192.168.2.40 Please specify a server port: Enable firewall-engine-debug too? [n]: y Monitoring packet tracer debug messages 192.168.1.40-32840 > 192.168.2.40-80 6 AS 1 I 8 Got end of flow event from hardware with flags 04000000
莉娜日志显示被卸载的流:
Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host INSIDE:192.168.1.40 Oct 01 2017 14:36:51: %ASA-7-609001: Built local-host OUTSIDE:192.168.2.40 Oct 01 2017 14:36:51: %ASA-6-302013: Built inbound TCP connection 966 for INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from INSIDE:192.168.1.40/32840 (192.168.1.40/32840) to OUTSIDE:192.168.2.40/80 (192.168.2.40/80) Oct 01 2017 14:36:51: %ASA-6-805001: Offloaded TCP Flow for connection 966 from OUTSIDE:192.168.2.40/80 (192.168.2.40/80) to INSIDE:192.168.1.40/32840 (192.168.1.40/32840)
莉娜捕获显示经历8的数据包:
firepower# show capture capture CAPI type raw-data buffer 33554432 trace trace-count 100 interface INSIDE [Capturing - 3908 bytes] match ip host 192.168.1.40 host 192.168.2.40 capture CAPO type raw-data buffer 33554432 trace trace-count 100 interface OUTSIDE [Capturing - 3908 bytes] match ip host 192.168.1.40 host 192.168.2.40
firepower# show capture CAPI 8 packets captured 1: 14:45:32.700021 192.168.1.40.32842 > 192.168.2.40.80: S 3195173118:3195173118(0) win 2920 <mss 1460,sackOK,timestamp 332569060 0> 2: 14:45:32.700372 192.168.2.40.80 > 192.168.1.40.32842: S 184794124:184794124(0) ack 3195173119 win 2896 <mss 1380,sackOK,timestamp 332567732 332569060> 3: 14:45:32.700540 192.168.1.40.32842 > 192.168.2.40.80: P 3195173119:3195173317(198) ack 184794125 win 2920 <nop,nop,timestamp 332569060 332567732> 4: 14:45:32.700876 192.168.2.40.80 > 192.168.1.40.32842: . 184794125:184795493(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060> 5: 14:45:32.700922 192.168.2.40.80 > 192.168.1.40.32842: P 184795493:184796861(1368) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569060> 6: 14:45:32.701425 192.168.2.40.80 > 192.168.1.40.32842: FP 184810541:184810851(310) ack 3195173317 win 2698 <nop,nop,timestamp 332567733 332569061> 7: 14:45:32.701532 192.168.1.40.32842 > 192.168.2.40.80: F 3195173317:3195173317(0) ack 184810852 win 2736 <nop,nop,timestamp 332569061 332567733> 8: 14:45:32.701639 192.168.2.40.80 > 192.168.1.40.32842: . ack 3195173318 win 2697 <nop,nop,timestamp 332567734 332569061>
FTD流卸载统计信息显示22数据包被卸载对HW :
firepower# show flow-offload statistics Packet stats of port : 0 Tx Packet count : 22 Rx Packet count : 22 Dropped Packet count : 0 VNIC transmitted packet : 22 VNIC transmitted bytes : 15308 VNIC Dropped packets : 0 VNIC erroneous received : 0 VNIC CRC errors : 0 VNIC transmit failed : 0 VNIC multicast received : 0
您能也使用‘显示流卸载流’命令发现另外相关的信息到被卸载的流。示例如下:
firepower# show flow-offload flow
Total offloaded flow stats: 2 in use, 4 most used, 20% offloaded, 0 collisions
TCP intfc 103 src 192.168.1.40:39301 dest 192.168.2.40:20, static, timestamp 616063741, packets 33240, bytes 2326800
TCP intfc 104 src 192.168.2.40:20 dest 192.168.1.40:39301, static, timestamp 616063760, packets 249140, bytes 358263320
firepower# show conn
5 in use, 5 most used
Inspect Snort:
preserve-connection: 1 enabled, 0 in effect, 4 most enabled, 0 most in effect
TCP OUTSIDE 192.168.2.40:21 INSIDE 192.168.1.40:40988, idle 0:00:00, bytes 723, flags UIO
TCP OUTSIDE 192.168.2.40:21 INSIDE 192.168.1.40:40980, idle 0:02:40, bytes 1086, flags UIO
TCP OUTSIDE 192.168.2.40:80 INSIDE 192.168.1.40:49442, idle 0:00:00, bytes 86348310, flags UIO N1
TCP OUTSIDE 192.168.2.40:20 INSIDE 192.168.1.40:39301, idle 0:00:00, bytes 485268628, flags Uo <- offloaded flow
TCP OUTSIDE 192.168.2.40:20 INSIDE 192.168.1.40:34713, idle 0:02:40, bytes 821799360, flags UFRIO
为了看到在通过FTD的FP4100/9300的所有数据包(被卸载+莉娜)那里是需要启用捕获在机箱级如镜像所显示:
机箱底板捕获显示两个方向。由于FXO捕获体系结构(每个方向2捕获点)如镜像所显示,每数据包两次显示:
基于在上面:
请使用案件
万一Prefilter策略快速路径操作在通过的流量应用线型设置(NGIPS接口)应该考虑到下列问题:
这是数据包踪迹的示例在Prefilter在应用的快速路径操作的情况下线型设置:
firepower# packet-tracer input inside tcp 192.168.1.40 12345 192.168.1.50 80 detailed Phase: 1 Type: NGIPS-MODE Subtype: ngips-mode Result: ALLOW Config: Additional Information: The flow ingressed an interface configured for NGIPS mode and NGIPS services will be applied Forward Flow based lookup yields rule: in id=0x2ad7ac48b330, priority=501, domain=ips-mode, deny=false hits=2, user_data=0x2ad80d54abd0, cs_id=0x0, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0 input_ifc=inside, output_ifc=any Phase: 2 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced trust ip object 192.168.1.0 object 192.168.1.0 rule-id 268438531 event-log flow-end access-list CSM_FW_ACL_ remark rule-id 268438531: PREFILTER POLICY: PF1 access-list CSM_FW_ACL_ remark rule-id 268438531: RULE: 1 Additional Information: Forward Flow based lookup yields rule: in id=0x2ad9f9f8a7f0, priority=12, domain=permit, trust hits=1, user_data=0x2ad9b23c5d40, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, ifc=any dst ip/id=192.168.1.0, mask=255.255.255.0, port=0, tag=any, ifc=any, vlan=0, dscp=0x0 input_ifc=any, output_ifc=any Phase: 3 Type: NGIPS-EGRESS-INTERFACE-LOOKUP Subtype: Resolve Egress Interface Result: ALLOW Config: Additional Information: Ingress interface inside is in NGIPS inline mode. Egress interface outside is determined by inline-set configuration Phase: 4 Type: FLOW-CREATION Subtype: Result: ALLOW Config: Additional Information: New flow created with id 7, packet dispatched to next module Module information for forward flow ... snp_fp_ips_tcp_state_track_lite snp_fp_ips_mode_adj snp_fp_tracer_drop snp_ifc_stat Module information for reverse flow ... snp_fp_ips_tcp_state_track_lite snp_fp_ips_mode_adj snp_fp_tracer_drop snp_ifc_stat Result: input-interface: inside input-status: up input-line-status: up Action: allow
以上可以形象化如下:
考虑如镜像所显示,包含分析规则的Prefilter策略:
ACP包含如镜像所显示,设置阻塞所有流量仅的默认规则:
这是被实施的策略在FTD喷鼻息引擎(ngfw.rules文件)方面:
# Start of tunnel and priority rules. # These rules are evaluated by LINA. Only tunnel tags are used from the matched rule id. 268435460 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any (tunnel -1) 268435459 allow any any 1025-65535 any any 3544 any 17 (tunnel -1) 268435459 allow any any 3544 any any 1025-65535 any 17 (tunnel -1) 268435459 allow any any any any any any any 47 (tunnel -1) 268435459 allow any any any any any any any 41 (tunnel -1) 268435459 allow any any any any any any any 4 (tunnel -1) # End of tunnel and priority rules. # Start of AC rule. 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
这是被实施的策略在FTD莉娜引擎方面:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=0) 0xb788b786
验证行为
为了用数据包追踪器测试,它显示数据包由莉娜允许,转发打鼾引擎(由于允许操作),并且喷鼻息引擎返回块判决,因为从AC的默认操作匹配。
Note:喷鼻息不评估根据通道规则的流量
当您跟踪数据包时显示同样:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: DROP Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: block rule, id 268435458, drop Snort: processed decoder alerts or actions queue, drop NAP id 1, IPS id 0, Verdict BLACKLIST, Blocked by Firewall Snort Verdict: (black-list) black list this flow Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: drop Drop-reason: (firewall) Blocked or blacklisted by the firewall preprocessor
如果目标是允许数据包通过FTD横断,有需要添加每在ACP的规则。操作可以是承认或委托哪些取决于目标(即,如果要应用L7检查您必须使用允许操作)如镜像所显示, :
被实施的策略在FTD喷鼻息引擎方面:
# Start of AC rule. 268435461 allow any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
在莉娜引擎中:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=1) 0xb788b786
验证行为
数据包追踪器显示数据包匹配规定268435460在莉娜和268435461在喷鼻息引擎方面:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: allow rule, id 268435461, allow NAP id 1, IPS id 0, Verdict PASS Snort Verdict: (pass-packet) allow this packet … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
万一ACP包含信任规则然后如镜像所显示,您有此:
喷鼻息:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
莉娜:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=2) 0xb788b786
切记那,因为SI启用默认情况下,信任规则部署作为在莉娜的permit操作那么至少一些数据包重定向打鼾检查的引擎。
验证行为
数据包追踪器显示喷鼻息引擎Whitelists根本卸载对莉娜的数据包其余流:
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached … Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
在此方案中SI手工禁用。
规则在喷鼻息部署如下:
# Start of AC rule. 268435461 fastpath any 192.168.1.40 32 any any 192.168.2.40 32 any any any 268435458 deny any any any any any any any any (log dcforward flowstart) # End of AC rule.
在莉娜规则部署作为全双工信任。数据包必须虽则匹配permit规则(请参阅ACE点击统计)是部署的由于分析Prefilter规则,并且数据包乘喷鼻息引擎检查:
access-list CSM_FW_ACL_ line 3 advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 (hitcnt=3) 0xb788b786 ... access-list CSM_FW_ACL_ line 13 advanced trust ip host 192.168.1.40 host 192.168.2.40 rule-id 268435461 event-log flow-end (hitcnt=0) 0x5c1346d6 ... access-list CSM_FW_ACL_ line 16 advanced deny ip any any rule-id 268435458 event-log flow-start (hitcnt=0) 0x97aa021a
验证行为
firepower# packet-tracer input INSIDE icmp 192.168.1.40 8 0 192.168.2.40 ... Phase: 4 Type: ACCESS-LIST Subtype: log Result: ALLOW Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced permit ip host 192.168.1.40 host 192.168.2.40 rule-id 268435460 access-list CSM_FW_ACL_ remark rule-id 268435460: PREFILTER POLICY: Prefilter_Policy1 access-list CSM_FW_ACL_ remark rule-id 268435460: RULE: Prefilter_Rule1 Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached ... Phase: 14 Type: SNORT Subtype: Result: ALLOW Config: Additional Information: Snort Trace: Packet: ICMP AppID: service ICMP (3501), application unknown (0) Firewall: starting rule matching, zone -1 -> -1, geo 0 -> 0, vlan 0, sgt 65535, user 9999997, icmpType 8, icmpCode 0 Firewall: trust/fastpath rule, id 268435461, allow NAP id 1, IPS id 0, Verdict WHITELIST Snort Verdict: (fast-forward) fast forward this flow … Result: input-interface: INSIDE input-status: up input-line-status: up output-interface: OUTSIDE output-status: up output-line-status: up Action: allow
要点
请使用案件
有协议类似动态地协商和开放附属连接的FTP, SIP等。FTD独立地打开附属连接的针孔在2个级别:
另外,当喷鼻息打开针孔时它发信号莉娜打开同一个针孔,万一已经不是开放的。
使用协商的协议和您必须使用的开放附属连接请勿允许在ACP的操作和请使用信任。原因是那,因为需要检查一些数据包的喷鼻息也打开针孔(编号取决于应用程序),在您打开针孔在喷鼻息级别前。如果使用一信任操作,大多时代仅一些数据包被发送打鼾检查的引擎,并且流被卸载给在喷鼻息前的莉娜有时间检查协议协商相位和打开需要的针孔在喷鼻息级别。结果是打开针孔的莉娜,但是打鼾切附属连接(即FTD数据信道)。
Note:对于要求的协议FTD将打开的针孔保证ACP规则匹配应用程序。
如果规则使用一个协议端口,情况喷鼻息引擎然后不会打开一个针孔和流类似FTD数据将由FTD丢弃
欲了解更详细的信息请检查以下文档:
firepower# show access-list | include elements access-list CSM_FW_ACL_; 7 elements; name hash: 0x4a69e3f3
规则如何部署:
允许与信任
Note:和从动态流卸载的6.3 FTD软件代码能卸载满足另外的标准包括委托数据包要求喷鼻息检查的连接。检查从Firepower管理中心配置指南的‘卸载大连接(流)欲了解更详细的信息’部分