Summary: Reference for running Packet Tracer and reviewing connection events on FTD, covering both the FMC GUI and the FTD CLI for each, including how to read Packet Tracer output and filter connection events effectively.
Packet Tracer simulates a packet through the FTD policy stack without sending real traffic. It shows which phase allows or drops the packet and which rule matched.
Run from the FTD CLI (or diagnostic CLI via system support diagnostic-cli):
packet-tracer input <ingress-interface> <protocol> <src-ip> <src-port> <dst-ip> <dst-port> detail
Common examples:
packet-tracer input outside tcp 203.0.113.10 12345 10.0.1.50 443 detail
packet-tracer input inside icmp 192.168.1.10 8 0 8.8.8.8 detail
packet-tracer input inside udp 192.168.1.10 54321 8.8.8.8 53 detail
⚠️ Interface Name
Use the logical interface name as configured in FMC (e.g.outside,inside), not the physical port name (e.g.GigabitEthernet0/0). The name is case-sensitive.
The GUI presents the same phase-by-phase output as the CLI, formatted as a collapsible trace view.
Each phase is evaluated in sequence. The final result is Allow or Drop.
Phase numbers in the output are assigned sequentially based on what is configured — they vary by policy and FTD version. Identify phases by name rather than number.
| Phase Name | Description |
|---|---|
| Route Lookup | Checks whether a route exists for the destination. Drop here = no route. |
| Access List | Evaluates interface ACLs (if applied directly). |
| NAT — Un-NAT | Evaluates destination NAT rules (inbound). |
| NAT — Source | Evaluates source NAT rules (outbound). |
| Prefilter | Fast-path rules and tunnel rules — evaluated early in the pipeline. |
| Access Control | Evaluates ACP rules — this is where most permit/deny decisions occur. Shows the matched rule name. |
| Intrusion Prevention | IPS inspection result (if the matched ACP rule has an IPS policy applied). |
Key fields in the output:
| Field | What to Look For |
|---|---|
Result: ALLOW |
Packet would be permitted through the policy stack |
Result: DROP |
Packet would be dropped — check the phase where this occurred |
Matched rule: <name> |
The specific ACP or NAT rule that matched |
Action: Deny in ACP phase |
The ACP rule explicitly blocks this traffic |
Implicit Deny |
No ACP rule matched — traffic hits the default deny |
⚠️ Packet Tracer Limitations
Packet Tracer evaluates policy as currently deployed on the FTD. It does not reflect uncommitted FMC changes. It also bypasses some stateful checks — a trace result of Allow does not guarantee the session will succeed if there are routing or NAT asymmetry issues.
Connection events are logged by Snort and stored in FMC. They represent completed or in-progress sessions that matched a logging-enabled ACP rule. Active connections that have not yet closed appear as connection events with no end time.
⚠️ Logging Must Be Enabled
Connection events only appear if logging is enabled on the matching ACP rule (log at beginning of connection, end of connection, or both). Rules with logging disabled produce no connection events regardless of action.
| Column | Description |
|---|---|
| First Packet / Last Packet | Session start and end times |
| Initiator IP / Responder IP | Source and destination of the connection |
| Initiator Port / Responder Port | Source and destination ports |
| Action | Allow, Block, Trust, Reset, etc. |
| Bytes Sent / Received | Traffic volume — useful for identifying data exfiltration or large transfers |
| Access Control Rule | The specific rule that matched |
| Ingress / Egress Interface | Which interfaces the traffic traversed |
| Application | Layer 7 application identified by Snort |
| User | Username if identity policy is configured |
| Goal | Filter |
|---|---|
| All traffic from a specific host | Initiator IP = <ip> |
| All traffic to a destination | Responder IP = <ip> |
| Blocked connections only | Action = Block |
| Traffic on a specific port | Responder Port = 443 |
| Traffic through a specific rule | Access Control Rule = <rule name> |
| Large transfers | Sort by Bytes descending |
To search across multiple fields simultaneously, use the search bar above the table and combine filters with AND.
To view the full detail of a connection event, click the arrow icon on the left of any row.
The FTD CLI shows the live connection table — current sessions only, not historical events.
show conn
show conn count
show conn address <ip>
show conn detail
Use show conn address <ip> to quickly check whether a specific host has active sessions and what ports are in use. This is useful when FMC connection event logging has a delay or when troubleshooting a live session.
To correlate with FMC: the five-tuple (src IP, src port, dst IP, dst port, protocol) from show conn can be used to find the matching event in Analysis > Connections > Events.