本產品的文件集力求使用無偏見用語。針對本文件集的目的,無偏見係定義為未根據年齡、身心障礙、性別、種族身分、民族身分、性別傾向、社會經濟地位及交織性表示歧視的用語。由於本產品軟體使用者介面中硬式編碼的語言、根據 RFP 文件使用的語言,或引用第三方產品的語言,因此本文件中可能會出現例外狀況。深入瞭解思科如何使用包容性用語。
思科已使用電腦和人工技術翻譯本文件,讓全世界的使用者能夠以自己的語言理解支援內容。請注意,即使是最佳機器翻譯,也不如專業譯者翻譯的內容準確。Cisco Systems, Inc. 對這些翻譯的準確度概不負責,並建議一律查看原始英文文件(提供連結)。
本檔案介紹Firepower威脅防禦(FTD)預過濾器策略的配置和操作。
本文件沒有特定需求。
本文中的資訊係根據以下軟體和硬體版本:
本文中的資訊是根據特定實驗室環境內的裝置所建立。文中使用到的所有裝置皆從已清除(預設)的組態來啟動。如果您的網路運作中,請確保您瞭解任何指令可能造成的影響。
預過濾器策略是6.1版中引入的一項功能,主要有以下三個用途:
預先篩選原則可以使用通道規則型別,允許FTD根據內部和/或外部IP標頭通道流量進行篩選。撰寫本文時,隧道流量是指:
請考慮GRE隧道,如圖所示。
當您使用GRE通道從R1 ping R2時,流量會透過防火牆,如下圖所示。
如果防火牆是ASA裝置,則會檢查外部IP報頭,如圖所示。
ASA# show conn GRE OUTSIDE 192.168.76.39:0 INSIDE 192.168.75.39:0, idle 0:00:17, bytes 520, flags
如果防火牆是FirePOWER裝置,則它會檢查內部IP報頭,如圖所示。
使用預過濾器策略,FTD裝置可以根據內部報頭和外部報頭匹配流量。
要點:
裝置 |
支票 |
ASA |
外部IP |
Snort |
內部IP |
FTD |
外部(預先篩選) +內部IP(存取控制原則(ACP)) |
預過濾器策略可以使用預過濾器規則型別,該規則型別可以提供早期訪問控制,並允許流完全繞過Snort引擎,如圖所示。
工作需求:
驗證預設預過濾器策略
解決方案:
步驟 1.導航到策略>訪問控制>預過濾器。預設預過濾器策略已存在,如圖所示。
步驟 2.選擇Edit檢視策略設定,如圖所示。
步驟 3.預過濾器策略已附加到訪問控制策略,如圖所示。
預過濾器規則增加到ACL之上:
firepower# show access-list access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300 access-list CSM_FW_ACL_; 5 elements; name hash: 0x4a69e3f3 access-list CSM_FW_ACL_ line 1 remark rule-id 9998: PREFILTER POLICY: Default Tunnel and Priority Policy access-list CSM_FW_ACL_ line 2 remark rule-id 9998: RULE: DEFAULT TUNNEL ACTION RULE access-list CSM_FW_ACL_ line 3 advanced permit ipinip any any rule-id 9998 (hitcnt=0) 0xf5b597d6 access-list CSM_FW_ACL_ line 4 advanced permit 41 any any rule-id 9998 (hitcnt=0) 0x06095aba access-list CSM_FW_ACL_ line 5 advanced permit gre any any rule-id 9998 (hitcnt=5) 0x52c7a066 access-list CSM_FW_ACL_ line 6 advanced permit udp any any eq 3544 rule-id 9998 (hitcnt=0) 0xcf6309bc
工作需求:
阻止在GRE隧道內透過隧道傳輸的ICMP流量。
解決方案:
步驟 1.如果套用這些ACP,可以看到無論是否透過GRE通道,網際網路控制訊息通訊協定(ICMP)流量都會遭到封鎖,如圖所示。
R1# ping 192.168.76.39 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.76.39, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
R1# ping 10.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
在這種情況下,您可以使用預過濾器策略來滿足任務要求。邏輯如下:
從架構角度看,系統會根據LInux AnyConnect (LINA)預先篩選規則檢查封包,然後根據Snort預先篩選規則和ACP檢查封包,最後根據Snort指示LINA捨棄。第一個封包會透過FTD裝置。
步驟 1.定義隧道流量的標籤。
導航到策略>訪問控制>預過濾器,建立新的預過濾器策略。請記住,預設預過濾器策略不能編輯,如圖所示。
在「預過濾器策略」中,您可以定義兩種型別的規則:
可以將這兩個功能視為可在預過濾器策略中配置的完全不同的功能。
對於此任務,必須定義隧道規則,如圖所示。
關於「作業」:
動作 |
說明 |
分析 |
在LINA之後,Snort引擎會檢查流量。或者,可以為隧道流量分配隧道標籤。 |
封鎖 |
此流量遭到LINA封鎖。要檢查外部標頭。 |
快速路徑 |
該流僅由LINA處理,不需要使用Snort引擎。 |
步驟 2.定義標籤流量的訪問控制策略。
雖然一開始無法非常直觀,但訪問控制策略規則可以將隧道標籤用作源區域。導航到策略>訪問控制,然後建立用於阻止標籤流量的ICMP的規則,如圖所示。
注意:新的預過濾器策略附加到訪問控制策略。
驗證:
在LINA和CLISH上啟用擷取:
firepower# show capture capture CAPI type raw-data trace interface inside [Capturing - 152 bytes] capture CAPO type raw-data trace interface outside [Capturing - 152 bytes]
> capture-traffic Please choose domain to capture traffic from: 0 - br1 1 - Router Selection? 1 Please specify tcpdump options desired. (or enter '?' for a list of supported options) Options: -n
從R1,嘗試ping遠端GRE隧道終端。ping失敗:
R1# ping 10.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
CLISH擷取顯示第一個回應要求已透過FTD,且回覆遭封鎖:
Options: -n 18:21:07.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 0, length 80 18:21:07.759939 IP 192.168.76.39 > 192.168.75.39: GREv0, length 104: IP 10.0.0.2 > 10.0.0.1: ICMP echo reply, id 65, seq 0, length 80 18:21:09.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 1, length 80 18:21:11.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 2, length 80 18:21:13.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 3, length 80 18:21:15.759939 IP 192.168.75.39 > 192.168.76.39: GREv0, length 104: IP 10.0.0.1 > 10.0.0.2: ICMP echo request, id 65, seq 4, length 80
LINA捕獲對此進行確認:
> show capture CAPI | include ip-proto-47 102: 18:21:07.767523 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 107: 18:21:09.763739 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 111: 18:21:11.763769 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 115: 18:21:13.763784 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 120: 18:21:15.763830 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 > > show capture CAPO | include ip-proto-47 93: 18:21:07.768133 192.168.75.39 > 192.168.76.39: ip-proto-47, length 104 94: 18:21:07.768438 192.168.76.39 > 192.168.75.39: ip-proto-47, length 104
啟用CLISH firewall-engine-debug,清除LINA ASP丟棄計數器並執行相同的測試。CLISH調試顯示,對於Echo-Request,已匹配預過濾器規則;對於Echo-Reply,已匹配ACP規則:
10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 New session 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 uses prefilter rule 268434441 with tunnel zone 1 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 Starting with minimum 0, id 0 and SrcZone first with zones 1 -> -1, geo 0 -> 0, vlan 0, sgt tag: 65535, svc 0, payload 0, client 0, misc 0, user 9999997, icmpType 8, icmpCode 0 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 pending rule order 3, 'Block ICMP', AppId 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 uses prefilter rule 268434441 with tunnel zone 1 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 Starting with minimum 0, id 0 and SrcZone first with zones 1 -> -1, geo 0 -> 0, vlan 0, sgt tag: 65535, svc 3501, payload 0, client 2000003501, misc 0, user 9999997, icmpType 0, icmpCode 0 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 match rule order 3, 'Block ICMP', action Block 10.0.0.1-8 > 10.0.0.2-0 1 AS 1 I 0 deny action
ASP捨棄會顯示Snort捨棄封包:
> show asp drop Frame drop: No route to host (no-route) 366 Reverse-path verify failed (rpf-violated) 2 Flow is denied by configured rule (acl-drop) 2 Snort requested to drop the frame (snort-drop) 5
在Connection Events中,您可以看到您匹配的Prefilter Policy and Rule,如下圖所示。
網路圖表
工作需求:
解決方案:
步驟 1.阻止所有流量的訪問控制策略如下圖所示。
步驟 2.增加一個預過濾器規則,並將Fastpath作為源網路192.168.75.0/24的操作,如圖所示。
步驟 3.結果如下圖所示。
步驟 4.儲存和部署。
在兩個FTD介面上啟用含有追蹤軌跡的擷取:
firepower# capture CAPI int inside trace match icmp any any firepower# capture CAPO int outsid trace match icmp any any
嘗試透過FTD從R1 (192.168.75.39)對R2 (192.168.76.39)執行ping。Ping失敗:
R1# ping 192.168.76.39 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.76.39, timeout is 2 seconds: ..... Success rate is 0 percent (0/5)
Capture on the inside interface顯示:
firepower# show capture CAPI 5 packets captured 1: 23:35:07.281738 192.168.75.39 > 192.168.76.39: icmp: echo request 2: 23:35:09.278641 192.168.75.39 > 192.168.76.39: icmp: echo request 3: 23:35:11.279251 192.168.75.39 > 192.168.76.39: icmp: echo request 4: 23:35:13.278778 192.168.75.39 > 192.168.76.39: icmp: echo request 5: 23:35:15.279282 192.168.75.39 > 192.168.76.39: icmp: echo request 5 packets shown
第一個資料包(回應請求)的跟蹤顯示(重要要點突出顯示):
firepower# show capture CAPI packet-number 1 trace
5 packets captured
1: 23:35:07.281738 192.168.75.39 > 192.168.76.39: icmp:回應請求
階段:1
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
階段:2
型別:ACCESS-LIST
Subtype:
結果:允許
Config:
Implicit Rule
Additional Information:
MAC Access list
階段:3
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.76.39使用出口ifc outside
階段:4
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip 192.168.75.0 255.255.255.0 any rule-id 268434448 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434448: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434448: RULE: Fastpath_src_192.168.75.0/24
Additional Information:
階段:5
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:6
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:7
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:8
型別:INSPECT
Subtype:np-inspect
結果:允許
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
檢查icmp
service-policy global_policy global
Additional Information:
階段:9
型別:INSPECT
Subtype:np-inspect
結果:允許
Config:
Additional Information:
階段:10
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:11
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:12
型別:FLOW-CREATION
Subtype:
結果:允許
Config:
Additional Information:
使用ID 52建立新流,將資料包傳送到下一個模組
階段:13
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip 192.168.75.0 255.255.255.0 any rule-id 268434448 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434448: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434448: RULE: Fastpath_src_192.168.75.0/24
Additional Information:
階段:14
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:15
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:16
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:17
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.76.39使用出口ifc outside
階段:18
型別:ADJACENCY-LOOKUP
Subtype:下一跳和鄰接
結果:允許
Config:
Additional Information:
活動鄰接
下一跳mac地址0004.deab.681b hits 140372416161507
階段:19
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow
1 packet shown
firepower#
外部介面上的捕獲顯示:
firepower# show capture CAPO 10 packets captured 1: 23:35:07.282044 192.168.75.39 > 192.168.76.39: icmp: echo request 2: 23:35:07.282227 192.168.76.39 > 192.168.75.39: icmp: echo reply 3: 23:35:09.278717 192.168.75.39 > 192.168.76.39: icmp: echo request 4: 23:35:09.278962 192.168.76.39 > 192.168.75.39: icmp: echo reply 5: 23:35:11.279343 192.168.75.39 > 192.168.76.39: icmp: echo request 6: 23:35:11.279541 192.168.76.39 > 192.168.75.39: icmp: echo reply 7: 23:35:13.278870 192.168.75.39 > 192.168.76.39: icmp: echo request 8: 23:35:13.279023 192.168.76.39 > 192.168.75.39: icmp: echo reply 9: 23:35:15.279373 192.168.75.39 > 192.168.76.39: icmp: echo request 10: 23:35:15.279541 192.168.76.39 > 192.168.75.39: icmp: echo reply 10 packets shown
對返回資料包的跟蹤顯示它與當前流(52)匹配,但被ACL阻止:
firepower# show capture CAPO packet-number 2 trace 10 packets captured 2: 23:35:07.282227 192.168.76.39 > 192.168.75.39: icmp: echo reply Phase: 1 Type: CAPTURE Subtype: Result: ALLOW Config: Additional Information: MAC Access list Phase: 2 Type: ACCESS-LIST Subtype: Result: ALLOW Config: Implicit Rule Additional Information: MAC Access list Phase: 3 Type: FLOW-LOOKUP Subtype: Result: ALLOW Config: Additional Information: Found flow with id 52, uses current flow Phase: 4 Type: ACCESS-LIST Subtype: log Result: DROP Config: access-group CSM_FW_ACL_ global access-list CSM_FW_ACL_ advanced deny ip any any rule-id 268434432 event-log flow-start access-list CSM_FW_ACL_ remark rule-id 268434432: ACCESS POLICY: ACP_5506-1 - Default/1 access-list CSM_FW_ACL_ remark rule-id 268434432: L4 RULE: DEFAULT ACTION RULE Additional Information: Result: input-interface: outside input-status: up input-line-status: up Action: drop Drop-reason: (acl-drop) Flow is denied by configured rule
步驟 5.為返回流量增加另一個預過濾器規則。結果如下圖所示。
現在追蹤您看到的傳回封包(重要提示已反白):
firepower# show capture CAPO packet-number 2 trace
10 packets captured
2: 00:01:38.873123 192.168.76.39 > 192.168.75.39: icmp:回應應答
階段:1
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
階段:2
型別:ACCESS-LIST
Subtype:
結果:允許
Config:
Implicit Rule
Additional Information:
MAC Access list
階段:3
型態:FLOW-LOOKUP
Subtype:
結果:允許
Config:
Additional Information:
找到ID為62的流,使用當前流
階段:4
型別:ACCESS-LIST
Subtype: log
結果:允許
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced trust ip any 192.168.75.0 255.255.255.0 rule-id 268434450 event-log both
access-list CSM_FW_ACL_ remark rule-id 268434450: PREFILTER POLICY: Prefilter_Policy1
access-list CSM_FW_ACL_ remark rule-id 268434450: RULE: Fastpath_dst_192.168.75.0/24
Additional Information:
階段:5
型別:CONN-SETTINGS
Subtype:
結果:允許
Config:
class-map class-default
匹配任意
policy-map global_policy
class class-default
set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:
階段:6
型別:NAT
Subtype:每個會話
結果:允許
Config:
Additional Information:
階段:7
型別:IP選項
Subtype:
結果:允許
Config:
Additional Information:
階段:8
型別:ROUTE-LOOKUP
Subtype:解析出口介面
結果:允許
Config:
Additional Information:
發現下一跳192.168.75.39在內部使用出口ifc
階段:9
型別:ADJACENCY-LOOKUP
Subtype:下一跳和鄰接
結果:允許
Config:
Additional Information:
活動鄰接
下一跳mac地址c84c.758d.4981命中140376711128802
階段:10
型別:CAPTURE
Subtype:
結果:允許
Config:
Additional Information:
MAC Access list
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow
使用本節內容,確認您的組態是否正常運作。
驗證已在各個任務部分中進行了說明。
目前沒有特定資訊可用於對此組態進行疑難排解。
修訂 | 發佈日期 | 意見 |
---|---|---|
4.0 |
12-May-2023 |
已刪除PII。
增加了Alt文本。
已更新標題、簡介、SEO、機器翻譯、Gerunds和格式。 |
1.0 |
29-Jan-2018 |
初始版本 |