Skip to content

Cisco Secure Firewall (FTD / FMC)

The RTA requires one outbound connection: OpenVPN over TCP/443 to connect.remotetesting.secureworks.com. On a Cisco Secure Firewall (FTD) managed by FMC, this destination is typically blocked by SSL decryption or L7 application detection even when port 443 is nominally allowed outbound.

Note

For background on why NGFW devices block this connection and what the RTA requires, see the Firewall Troubleshooting Overview and the full troubleshooting background.

1. Create a Network / FQDN Object

FMC supports FQDN-type network objects that can be used in Access Control Policy rules (but not in Prefilter Policy rules — see Section 3).

  1. In FMC, go to Objects > Object Management > Network.
  2. Click Add Network > Add Object.
  3. Set the following:
  4. Name: RTA-Connect-Endpoint
  5. Type: FQDN
  6. FQDN: connect.remotetesting.secureworks.com
  7. Click Save.

2. Add a Do-Not-Decrypt Rule

SSL/TLS decryption intercepts port-443 traffic and resets OpenVPN sessions. You must exempt this destination from decryption.

  1. Go to Policies > SSL (FMC 6.x) or Policies > Decryption (FMC 7.x+).
  2. Open the SSL/Decryption Policy applied to the interface pair carrying RTA traffic.
  3. Add a new rule at the top of the rule list:
  4. Action: Do Not Decrypt
  5. Destination Networks: RTA-Connect-Endpoint (the FQDN object)
  6. Destination Port: TCP / 443
  7. Click Save.

Warning

Place this rule above any catch-all decrypt rules. FMC evaluates rules top-down; if a decrypt rule matches first, the Do-Not-Decrypt rule is never reached.

3. Allow the Flow

Even after exempting decryption, the Snort inspection engine or application detection may classify the flow as OpenVPN (or non-standard SSL on 443) and drop it. You have two options.

A Fastpath rule bypasses Snort and all L7 inspection entirely, which is the most reliable fix. Prefilter rules match by IP and port only; FQDN objects cannot be used here. You will need the AWS Global Accelerator IP set for connect.remotetesting.secureworks.com from your engagement lead.

  1. Go to Policies > Prefilter.
  2. Open the Prefilter Policy applied to the relevant device/interface pair.
  3. Add a new Prefilter Rule:
  4. Action: Fastpath
  5. Destination Networks: (IP addresses provided by your engagement lead)
  6. Destination Port: TCP / 443
  7. Direction: Any (or Initiator-to-Responder if your policy permits)
  8. Move the rule above any block rules for the same port range.
  9. Click Save.

Tip

If you do not have the GA IP set, use Option B below and monitor Connection Events to confirm traffic is passing.

Option B — Access Control Policy Allow Rule

If you cannot use a Prefilter Fastpath (e.g., no GA IP list is available), add an explicit allow rule in the Access Control Policy. Be aware that AppID may still tag the flow as an OpenVPN application.

  1. Go to Policies > Access Control.
  2. Open the Access Control Policy applied to the device.
  3. Add a new rule:
  4. Action: Allow
  5. Destination Networks: RTA-Connect-Endpoint
  6. Destination Port: TCP / 443
  7. On the Inspection tab of the rule, consider setting Intrusion Policy to None to prevent Snort from evaluating and dropping the flow.
  8. Place this rule above any application-based block rules that match OpenVPN or unclassified-on-443 traffic.
  9. Click Save.

Warning

AppID may classify this flow as OpenVPN even with an allow action. If a separate rule blocks the OpenVPN application, the allow rule must be ordered before it. Disabling the intrusion policy on this rule (Option B step 4) also removes Snort's opportunity to reset the session on application identification.

4. Deploy and Verify

Deploy

All policy changes in FMC are staged until explicitly pushed to the device.

  1. Click Deploy > Deployment in the top navigation bar.
  2. Select the target FTD device(s).
  3. Click Deploy and wait for the task to complete.

Verify Connectivity

From a host on the same network segment as the RTA:

nc -vz connect.remotetesting.secureworks.com 443

A successful response looks like:

Connection to connect.remotetesting.secureworks.com 443 port [tcp/https] succeeded!

Then confirm the RTA establishes and holds its OpenVPN tunnel (the connection should remain stable, not reset within a few seconds).

Check Connection Events

In FMC, go to Analysis > Connections > Events and filter on:

  • Destination IP / Hostname: connect.remotetesting.secureworks.com
  • Destination Port: 443

Confirm the action is Allow (or Fastpath if the Prefilter rule fired) and that no subsequent blocks appear for the same flow.