topic Re: ASA Firepower getting ignored in Network Security

ASA Firepower getting ignored

Infuscomus — Mon, 12 Oct 2020 08:52:07 GMT

After receiving some user reports, apparently all Firepower rules are getting ignored in my ASA-5508X.

I was unable to find what is wrong.

Nothing related to Firepower was recently modified.

The SFR policy is the same and enabled. It matches all LAN segments towards any IP.

But Access Control Policy seems to be completely ignored/bypassed.

Using the packet tracer shows that any IP that suppose to be blocked in the ACP goes through without any problem.

How can I properly identify the problem ?

Re: ASA Firepower getting ignored

Marius Gunnerud — Mon, 12 Oct 2020 09:19:59 GMT

Well, packet tracer will only provide the result of the ASA verdict of the traffic and does not include what Firepower will do to the traffic. If you jump to the Firepower CLI and issue the command system support diagnostic-cli, enter the client IP and leave everything else blank, and then run a test. What rule are you hitting. If you se no traffic at all, then traffic is not being redirected to Firepower.

Re: ASA Firepower getting ignored

Infuscomus — Mon, 12 Oct 2020 09:25:36 GMT

Update:

Apparently this is a problem with some objects suddenly missing from the main network objects group.

This is fixable, so it was not a serious issue.

Re: ASA Firepower getting ignored

Aref Alsouqi — Mon, 12 Oct 2020 09:33:20 GMT

I think Marius meant to say system support firewall-engine-debug command to capture the traffic subnet to the ACP. Check if snort is engine is running, if not, try to restart it with the command pmtool restartbytype snort.

Re: ASA Firepower getting ignored

Marius Gunnerud — Mon, 12 Oct 2020 09:40:44 GMT

D'OH! Correct Aref, I meant firewall-engine-debug.

Re: ASA Firepower getting ignored

Marius Gunnerud — Mon, 12 Oct 2020 09:41:40 GMT

Objects that suddenly go missing should not happen. If this continues, I suggest opening a TAC case as this sounds a lot like a bug.

Re: ASA Firepower getting ignored

Infuscomus — Mon, 12 Oct 2020 11:10:01 GMT

Thanks for the feedback.

The last serious problem I encountered was licenses suddenly not correctly detected witch of course caused lack of certain licensed functionality.

I will follow closely to see if similar anomalies occur.

Re: ASA Firepower getting ignored

Aref Alsouqi — Mon, 12 Oct 2020 13:35:20 GMT

What version of ASA/SFR are you running?

Re: ASA Firepower getting ignored

Infuscomus — Tue, 13 Oct 2020 10:24:46 GMT

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.13(1)