Thanks David for the feedback!

Thanks sir!

Thanks!!

Thanks Owii92 for the comment and glad it helped.

Thanks Stas!

Thanks Igor!

Anytime Hoang and thanks for the feedback.

I seen you message around DNS but you had your email address so I did not publish the comment. That said I assume you are looking at DNS Sinkholing. If so check out the following videos 23. Cisco Firepower Threat Defense: DNS Sinkholing kzbin.info/www/bejne/eovXp3ajpMyYac0 24. Cisco Firepower Threat Defense: DNS Sinkholing Packet Capture kzbin.info/www/bejne/qIOump2phZ6cr6M 25. Cisco Firepower Threat Defense: DNS Sinkhole Tweaking for the Analyst kzbin.info/www/bejne/bYOwmnyngZ56n80 Hope this helps

@@jasonmaynard8773 Thanks for hidding the comment, in my case, after putting DNS server behind the firewall with default "balance and security", and malware blocking (1st rule), all pcs and even FW itself cannot use DNS service anymore, every others service like ping, RD are still OK, DNS is win 2008 R2. Checked log and i saw UDP port 53 were allow. Have you met this case?

Hi Hoang, I am assuming that the PCs have to go through the firewall to get to DNS (not on the same network and you have a control point in place). I would go to FTD and leverage packet tracer and do a couple of tests. This should highlight what stage the firewall is blocking (if that is the case). If this does not help I would open a TAC case and get them to have a look. Packet Tracer - kzbin.info/www/bejne/jZXJk5aGaLCohZI

Thank you and noted!

Thanks Mark for reaching out - home_net should include all networks you are protecting. It states this in the guide "the majority of the rules use the variable $HOME_NET to specify the protected network and the variable $EXTERNAL_NET to specify the unprotected (or outside) ", also a quick google of www.google.com/search?q=snort+home_net+variable&rlz=1C1GCEU_enUS872US873&oq=snort+Home&aqs=chrome.0.69i59j69i57j35i39j0l5.5013j0j4&sourceid=chrome&ie=UTF-8 Gets you the following as well "$HOME_NET is a variable that defines the network or networks you are trying to protect, while $EXTERNAL_NET is the external, untrusted networks to which you are connected. These variables are used in virtually all rules to specify criteria for the source and destination of a packet." Hope this clarifies :)

Try the following: cisco.lookbookhq.com/ngfw_ftd_common-practices

Glad it helped