https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761360#M1012124 <P>sorry, but what is ACP?</P> Tue, 11 Dec 2018 15:14:40 GMT marcio.tormente 2018-12-11T15:14:40Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761239#M1012119 <P>Hello guys!</P><P>I have no experience with FTD firepower and I'm lost with the monitoring.</P><P>In the ASA using ASDM I can make monitoring in real time to se where the traffic is blocking or not, but I have no idea how can I do it using Firepower.</P><P>Anyone can help me with this case?</P><P>&nbsp;</P><P>Thanks</P><P>&nbsp;</P><P>Marcio</P> Fri, 21 Feb 2020 16:33:40 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761239#M1012119 marcio.tormente 2020-02-21T16:33:40Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761256#M1012120 <P>Hi Marcio</P> <P>&nbsp;</P> <P>With in the FMC (Firepower Management Center), you can use Analysis &gt; Connection events to filter and drill down on standard connection events that pass through the managed devices.</P> <P>You can use Analysis &gt; Intrusion Events to assess what is being blocked/monitored by the Snort engine.</P> <P>Also, if you have the network discovery policy configured to build up host intelligence of your internal protected nodes (Desktops, laptops, servers etc), Analysis &gt; Context Explorer will give you accurate IOCs (Indications of Compromise) and what devices/alerts should be triaged first.</P> <P>&nbsp;</P> <P>As a general rule of thumb, the Intrusion alerts are rated 1-4 then 0 (1 being critical, 0 being informational). Look at the critical ones first.</P> <P>The Access Control Policy ties in all the 'sub policies' together (File/Malware, Prefilter (Layer 1-4), Intrusion (&gt; Layer 7), SSL, DNS etc.)</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>Phil</P> Tue, 11 Dec 2018 13:11:28 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761256#M1012120 phil.hydea 2018-12-11T13:11:28Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761274#M1012121 <P>Hello Phil!</P><P>&nbsp;</P><P>thanks for your support.</P><P>&nbsp;</P><P>I tried as you said, but after go to "Analysis &gt; Connection events", I have many option in the "jump to" as I can show in the attached, if I change to "host" for example, I have no result.</P><P>Or If I make a filter by network and put the IP of the host, again I have no result. Do you know why?</P><P>&nbsp;</P><P>thanks&nbsp;</P> Tue, 11 Dec 2018 13:42:28 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761274#M1012121 marcio.tormente 2018-12-11T13:42:28Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761353#M1012122 <P>Hi,</P> <P>&nbsp;</P> <P>Do you have an ACP configured with logging enabled?</P> <P>&nbsp;</P> <P>Cheers</P> <P>Phil</P> Tue, 11 Dec 2018 15:06:15 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761353#M1012122 phil.hydea 2018-12-11T15:06:15Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761354#M1012123 Also, as well as ACP configured with logging, have you tried increasing the time window (top right of the table)? Tue, 11 Dec 2018 15:06:50 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761354#M1012123 phil.hydea 2018-12-11T15:06:50Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761360#M1012124 <P>sorry, but what is ACP?</P> Tue, 11 Dec 2018 15:14:40 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761360#M1012124 marcio.tormente 2018-12-11T15:14:40Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761362#M1012125 <P>ACP is access control policy. It's where all the ACL (Access control list) style rules and additional upto Layer 7 inspection is configured.</P> <P>&nbsp;</P> <P>Check this out:</P> <P><A href="https://networkdirection.net/articles/asa/firepowermanagementcentre/fmcaccesscontrolpolicies/" target="_blank">https://networkdirection.net/articles/asa/firepowermanagementcentre/fmcaccesscontrolpolicies/</A></P> <P>&nbsp;</P> <P>Have you added your FTD devices to the FMC already? do you have licensing sorted? (if not, no problem, use evaluation mode for a 90 day window)</P> Tue, 11 Dec 2018 15:19:03 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761362#M1012125 phil.hydea 2018-12-11T15:19:03Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761366#M1012126 <P>Yes I have the ACP configured and the device is on the FMC phisical appliance with the the normal license (not evaluation).</P> Tue, 11 Dec 2018 15:21:42 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761366#M1012126 marcio.tormente 2018-12-11T15:21:42Z https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761381#M1012127 So do have you ACP rules configured with logging:<BR /><BR />Edit the rule, click Logging tab, either Log at Beginning and/or End of<BR />Connection<BR /> Tue, 11 Dec 2018 15:49:52 GMT https://community.cisco.com/t5/network-security/monitoring-with-ftd-firepower-2100/m-p/3761381#M1012127 phil.hydea 2018-12-11T15:49:52Z