Wednesday, September 23, 2020

FTD firewall capture

 >capture icmp trace detail interface cedge301-dia match icmp any any 


> show capture

capture icmp type raw-data trace detail interface cedge301-dia [Capturing - 536 bytes] 

  match icmp any any 


> show capture icmp 

5 packets captured

   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   2: 07:12:33.149726       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   3: 07:12:35.141884       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   4: 07:12:37.154777       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

   5: 07:12:39.146690       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

5 packets shown


> show capture icmp packet-number 1 

5 packets captured

   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

1 packet shown

> show capture icmp trace 


5 packets captured


   1: 07:12:31.147178       802.1Q vlan#200 P0 192.168.0.1 > 8.8.8.8: icmp: echo request 

Phase: 1

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3b18430, priority=13, domain=capture, deny=false

        hits=3, user_data=0x2aaad240bea0, cs_id=0x0, l3_type=0x0

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0000.0000.0000

        input_ifc=cedge301-dia, output_ifc=any


Phase: 2

Type: ACCESS-LIST

Subtype: 

Result: ALLOW

Config:

Implicit Rule

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad399b7f0, priority=1, domain=permit, deny=false

        hits=274029, user_data=0x0, cs_id=0x0, l3_type=0x8

        src mac=0000.0000.0000, mask=0000.0000.0000

        dst mac=0000.0000.0000, mask=0100.0000.0000

        input_ifc=cedge301-dia, output_ifc=any


Phase: 3

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.29.182 using egress ifc  Outside-interface


Phase: 4

Type: ACCESS-LIST

Subtype: log

Result: ALLOW

Config:

access-group CSM_FW_ACL_ global

access-list CSM_FW_ACL_ advanced permit ip ifc cedge301-dia any4 ifc Outside-interface any4 rule-id 268435458 

access-list CSM_FW_ACL_ remark rule-id 268435458: ACCESS POLICY: MainPolicy - Mandatory

access-list CSM_FW_ACL_ remark rule-id 268435458: L7 RULE: Trust-inside-to-outside

Additional Information:

 This packet will be sent to snort for additional processing where a verdict will be reached

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3adfb20, priority=12, domain=permit, deny=false

        hits=281, user_data=0x2aaac757ea00, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=cedge301-dia

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, ifc=Outside-interface, vlan=0, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 5

Type: CONN-SETTINGS

Subtype: 

Result: ALLOW

Config:

class-map class-default

 match any

policy-map global_policy

 class class-default

  set connection advanced-options UM_STATIC_TCP_MAP

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39b2e60, priority=7, domain=conn-set, deny=false

        hits=281, user_data=0x2aaad23ca100, cs_id=0x0, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 6

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad1846550, priority=0, domain=nat-per-session, deny=true

        hits=12362, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 7

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39a13e0, priority=0, domain=inspect-ip-options, deny=true

        hits=287, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 8

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

class-map inspection_default

 match default-inspection-traffic

policy-map global_policy

 class inspection_default

  inspect icmp 

service-policy global_policy global

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39afe80, priority=70, domain=inspect-icmp, deny=false

        hits=6, user_data=0x2aaad2b08bc0, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 9

Type: INSPECT

Subtype: np-inspect

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad39b1120, priority=70, domain=inspect-icmp-error, deny=false

        hits=6, user_data=0x2aaad2b09700, cs_id=0x0, use_real_addr, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 10

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Forward Flow based lookup yields rule:

 in  id=0x2aaad3b1fce0, priority=13, domain=capture, deny=false

        hits=2, user_data=0x2aaad240bea0, cs_id=0x2aaad240bd70, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=cedge301-dia, output_ifc=any


Phase: 11

Type: NAT

Subtype: per-session

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x2aaad1846550, priority=0, domain=nat-per-session, deny=true

        hits=12364, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=any


Phase: 12

Type: IP-OPTIONS

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 in  id=0x2aaad3933830, priority=0, domain=inspect-ip-options, deny=true

        hits=12300, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0

        src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0

        input_ifc=Outside-interface, output_ifc=any


Phase: 13

Type: CAPTURE

Subtype: 

Result: ALLOW

Config:

Additional Information:

 Reverse Flow based lookup yields rule:

 out id=0x2aaad3b20390, priority=13, domain=capture, deny=false

        hits=1, user_data=0x2aaad240bea0, cs_id=0x2aaad240bd70, reverse, flags=0x0, protocol=1

        src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=any

        dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=any, dscp=0x0

        input_ifc=any, output_ifc=cedge301-dia


Phase: 14

Type: FLOW-CREATION

Subtype: 

Result: ALLOW

Config:

Additional Information:

New flow created with id 12375, packet dispatched to next module

Module information for forward flow ...

snp_fp_inspect_ip_options

snp_fp_snort

snp_fp_inspect_icmp

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat


Module information for reverse flow ...

snp_fp_inspect_ip_options

snp_fp_inspect_icmp

snp_fp_snort

snp_fp_adjacency

snp_fp_fragment

snp_ifc_stat


Phase: 15

Type: EXTERNAL-INSPECT

Subtype: 

Result: ALLOW

Config:

Additional Information:

Application: 'SNORT Inspect'


Phase: 16

Type: SNORT

Subtype: 

Result: ALLOW

Config:

Additional Information:

Snort Trace:

Packet: ICMP

Session: new snort session

AppID: service ICMP (3501), application unknown (0)

Firewall: trust/fastpath rule, id 268435458, allow

Snort id 1, NAP id 1, IPS id 0, Verdict WHITELIST

Snort Verdict: (fast-forward) fast forward this flow


Phase: 17

Type: ROUTE-LOOKUP

Subtype: Resolve Egress Interface

Result: ALLOW

Config:

Additional Information:

found next-hop 10.0.29.182 using egress ifc  Outside-interface


Phase: 18

Type: ADJACENCY-LOOKUP

Subtype: next-hop and adjacency

Result: ALLOW

Config:

Additional Information:

adjacency Active

next-hop mac address 5000.0042.0004 hits 374 reference 1


Result:

input-interface: cedge301-dia

input-status: up

input-line-status: up

output-interface: Outside-interface

output-status: up

output-line-status: up

Action: allow


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

test

import os import argparse import json def load_json_file(filepath):     with open(filepath, 'r') as f:         return json.load(f) d...

  • eve-ng : When a node won't start
      /var/log/syslog shows: Jun 18 11:21:18 labusraeveng01 iol_wrapper[105334]: 18/5 15:21:18.639 ERR#011Error while connecting local AF_UNIX: ...
  • How to add NX-OS image to EVE-NG
    1)make it a sataa.qcow2 image 2)after first boot configure "boot nxos bootflash:///nxos.7.0.3.I7.3.bin" and write mem Remark...
  • (no title)
    EVE-NG Copy&paste To copy between host and eve-ng native client, while in the client, click CTRL-ALT-SHIFT which will bring up the H...