https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130138#M1072608 <P>It is normally the Analysis &gt; Connection Events and the system support diagnostic-cli that you would refer to, to view this.&nbsp; You can also setup a capture and export the pcap file and view it in Wireshark.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10</A></P> Tue, 04 Aug 2020 13:50:17 GMT Marius Gunnerud 2020-08-04T13:50:17Z https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130107#M1072604 <P>How can I see DNS Security Intelligence event for the blocked resolution of a fqdn at CLI of FTD?</P><P>&nbsp;</P><P>Test setup:</P><P>I have a static DNS blacklist used for blocking domain <EM>well-known-domain</EM>.com, let's say cisco.com.&nbsp; Inside hosts trying to browse to cisco.com are being block, as expected.</P><P>&nbsp;</P><P>However, when I use <STRONG>Packet Tracer</STRONG> and for destination fqdn I put cisco.com, Packet Tracer's verdict is to allow the traffic, because Packet-Tracer resolves the fqdn to an IP address.&nbsp; Since the ip address of cisco.com is not blocked in my configuration, Packet-Tracer allows the traffic.&nbsp;</P><P>To catch Packet tracer resolving, I thought I could use:&nbsp;<FONT face="courier new,courier"><STRONG>support firewall-engine-debug&nbsp;</STRONG></FONT>to see Packet tracer resolves, but it doesn't show name lookup for cisco.com.&nbsp;</P><P>&nbsp;</P><P>Then, I wanted to use <STRONG><FONT face="courier new, courier">capture&nbsp;</FONT></STRONG>at FTD CLI, but that command uses ip address for source/destination, so I can't put cisco.com.</P><P>&nbsp;</P><P>Can someone please tell me where at CLI I can see DNS Security intelligence events.</P><P>&nbsp;</P><P>Thanks.</P> Tue, 04 Aug 2020 13:09:22 GMT https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130107#M1072604 cpaquet 2020-08-04T13:09:22Z https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130138#M1072608 <P>It is normally the Analysis &gt; Connection Events and the system support diagnostic-cli that you would refer to, to view this.&nbsp; You can also setup a capture and export the pcap file and view it in Wireshark.</P> <P><A href="https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10" target="_blank">https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/214852-block-dns-with-security-intelligence-usi.html#anc10</A></P> Tue, 04 Aug 2020 13:50:17 GMT https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130138#M1072608 Marius Gunnerud 2020-08-04T13:50:17Z https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130297#M1072621 Hi, try to use support trace command with firewall debug enable turned on.<BR />This should show the results as this command will show you snort inspection<BR />as well.<BR /><BR />**** please remember to rate useful posts<BR /> Tue, 04 Aug 2020 17:10:40 GMT https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130297#M1072621 Mohammed al Baqari 2020-08-04T17:10:40Z https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130361#M1072630 <P>Thanks Mohammed, the system support trace did the trick and showed the SI DNS block and which policy blocked it.</P><P>Much appreciated.&nbsp; Thank you.</P><P>&nbsp;</P><P>198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Packet: UDP<BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Session: new snort session<BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 AppID: service DNS (617), application unknown (0)<BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 <FONT color="#0000FF">SI: DNS security intelligence rule, 'NGFW-DNS-Blacklist', drop</FONT><BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort: processed decoder alerts or actions queue, drop<BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 Snort id 0, NAP id 3, IPS id 0, Verdict BLOCK<BR />198.19.10.100-49320 - 192.42.93.30-53 17 AS 1-1 CID 0 ===&gt; Blocked by SI<BR />Verdict reason is sent to DAQ</P> Tue, 04 Aug 2020 19:16:39 GMT https://community.cisco.com/t5/network-security/dns-security-intelligence-block-how-to-see-at-cli-on-ftd/m-p/4130361#M1072630 cpaquet 2020-08-04T19:16:39Z