Packet Tracer in Firepower Threat Defense

I wanted to share a quick post on a feature that I have found incredibly useful on the ASA and has been extended to Firepower Threat Defense. The feature is called Packet Tracer and is an easy way to apply “packet walk” logic to a flow that would be initiated through the platform. Like most things FTD, the Firepower Management Console is the point of contact for initiating the process.

To initiate Packet Tracer in FTD, open the Firepower Management Console and choose ‘Devices‘ then ‘Device Management‘. Next, select the device that you want to perform the operation and select the icon that looks like a screwdriver and wrench.

DevDevMgmt

This will produce the screen that provides health monitoring and troubleshooting for the device. Selecting “Advanced Troubleshooting” will change the view to a multi-tab troubleshooting screen.

AdvTroubleshoot

Selecting the Packet Tracer tab will allow for input like Source/Destination, Protocol, Port, SGT, etc.

PacketTracer

After filling out this information and choosing “Start“, the device would be put through the same process as an initial packet of a new connection. The resulting packet walk is shown in an expandable tree view¬†or raw text (user selectable).

Tree View

TreeView

Raw

Phase: 1
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.1 using egress ifc  outside

Phase: 3
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group CSM_FW_ACL_ global
access-list CSM_FW_ACL_ advanced permit ip any any rule-id 268434433 
access-list CSM_FW_ACL_ remark rule-id 268434433: ACCESS POLICY: FTD-5525 ACP - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268434433: L7 RULE: Monitor URL
Additional Information:
 This packet will be sent to snort for additional processing where a verdict will be reached

Phase: 4
Type: CONN-SETTINGS
Subtype: 
Result: ALLOW
Config:
class-map class-default
 match any
policy-map global_policy
 class class-default
  set connection advanced-options UM_STATIC_TCP_MAP
service-policy global_policy global
Additional Information:

Phase: 5
Type: NAT
Subtype: 
Result: ALLOW
Config:
object network Inside
 nat (inside,outside) static Outside
Additional Information:
Static translate 192.168.1.100/1025 to 192.168.2.98/1025

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 7
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 8
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:

Phase: 9
Type: IP-OPTIONS
Subtype: 
Result: ALLOW
Config:
Additional Information:

Phase: 10
Type: FLOW-CREATION
Subtype: 
Result: ALLOW
Config:
Additional Information:
New flow created with id 999925, packet dispatched to next module

Phase: 11
Type: EXTERNAL-INSPECT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Application: 'SNORT Inspect'

Phase: 12
Type: SNORT
Subtype: 
Result: ALLOW
Config:
Additional Information:
Snort Trace:
Packet: TCP, SYN, seq 505546070
AppID: service unknown (0), application unknown (0)
Firewall: starting rule matching, zone 2 -> 1, geo 0 -> 0, vlan 0, sgt 65535, username 'No Authentication Required', , icmpType 0, icmpCode 0
Firewall: pending rule-matching,  'Monitor URL' , pending URL
NAP id 1, IPS id 0, Verdict PASS
Snort Verdict: (pass-packet) allow this packet

Phase: 13
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 192.168.2.1 using egress ifc  outside

Phase: 14
Type: ADJACENCY-LOOKUP
Subtype: next-hop and adjacency
Result: ALLOW
Config:
Additional Information:
adjacency Active
next-hop mac address 0018.0a46.a268 hits 4294993594

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

Conclusion

If you’re like me and desire greater familiarity with the logic and order of operation of FTD, the Packet Tracer tool can help. This was my ‘go to’ tool for troubleshooting ASAs and I’m glad it made its way into Firepower Threat Defense. I hope this article proves useful to other Administrators of FTD.

If you have other tips or tricks for maintaining and operating a Firepower solution, please share them by commenting below.

Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may does not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in Security and tagged , . Bookmark the permalink.

One Response to Packet Tracer in Firepower Threat Defense

  1. Pingback: Capture w/Trace in Firepower Threat Defense - PacketU

Comments are closed.