Cisco ASA Events - TCP Build Messages (302013) Not Parsing Correctly

It seems that for the ASA Sentinel is not correctly parsing source and destination IP/Port in TCP or UDP build messages where communication direction is outbound. It doesn't help things that Cisco does not directly label the source and destination in these messages. It's intuitive to read "for IP1/Port1 to IP2/Port2" implying 1 as the source and 2 as the destination but that's not the case.

%ASA-6-302013: Built outbound TCP connection 1139285864 for Outside:104.43.247.104/443 (104.43.247.104/443) to Inside:10.18.120.83/17960 (192.40.44.100/17960).

The rules appear to be as follows:

All FW interfaces have a numeric “Security Context”.
Outbound means the direction was from a higher to lower context.
Inbound means the direction was from a lower to higher context.
The higher context always seems to show as the second interface.

Blending all this together means:

     Outbound => src=2 (higher), dst=1 (lower)           higher to lower
     Inbound    => src=1 (lower),   dst=2 (higher)         lower to higher

So what happens where ip 1 & 2 are on the same interface?

Based on observation where interface1 == interface2:

     Outbound => src=2, dst=1
     Inbound    => src=1, dst=2

In short for outbound messages the source is the second IP and the destination is the first IP.

It's not as clear when the second interface is "identity".

We can imagine that having the source and destination IPs backwards could impact Security Analytics. For example, if a rule was checking destination IPs against a naughty list instead of checking actual external destinations it's going to check the internal (private) IPs and of course never trigger a hit.

Curious to know if anyone else has noticed this?

J-