View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0243 - FTD 6.1 Prefilter Policy (Part 3)

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>
The video introduces you to Pre-filter policy on Cisco FTD 6.1. We will demonstrate how prefilter policy can be used in addition to a regular access control rule to allow (Fastpath) or drop traffic and prevent them from further processing. The second half of the videos takes you through another feature called Tunnel Rule that allows FTD to analyze unencrypted tunnel traffic.
Part 3 of this video covers prefilter policy with Tunnel rule
  • Prefilter Policy
    • Fastpath, Block, Analyze
  • Access Control Policy
  • GRE Tunnel
  • Tunnel Rule 
  • Zone Reassignment

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.


Hey Metha, Thank you very much for great video mentors. Got a question and unfortunately could not resolve with TAC engineers too. Somehow the FTD blocks the traffic for PPTP after when it starts validating user credentials. I can connect the PPTPD server within the subnet but can't get it behind the firewall. Do you have any idea what to look at?


First of all, does PPTP works without FTD? If so, do you have both TCP/1723 and GRE allowed on FTD? Do you see anything else being blocked on event log? Try to disable all inspection as well.

Thanks for your reply. Yes, it does work and connects to a computer on the same subnet my PPTPD is located but does not allow even from the other interface regardless of outside or inside. I allowed TCP/1723 and does not have any prefiltered rules that could block GRE and by default it is allowed I assume. I have a few inspections but:
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp error
inspect ip-options UM_STATIC_IP_OPTIONS_MAP
inspect icmp
class class-default
set connection advanced-options UM_STATIC_TCP_MAP

As you see PPTP is not among them. It is giving error 619 after verifying username and password. I had similar issue with ASA but there inspection of PPTP resolved ther issue. Any other thoughts how I might resolve it?


Can you allow GRE on Acccess Control Rule and see if that works? After that if you rather use inspection, you can try to use FlexConfig to insert the command.