topic Re: Requirement to shutdown FTD inside interface via SLA in Network Security

Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Sat, 20 May 2023 18:00:00 GMT

Hello,

We have a requirement to shutdown the inside interface of our FTD once the internet link on the upstream ISP router goes down. The logical connectivity is as follows.

Core Switch---->(inside)FTD(outside)----->(inside)ISP Router(outside)----->Internet

Initially I planning to use an sla monitor (ping to 8.8.8.8)and use it in an EEM script to shutdown the interface. But I found that FTD/ASA does not support event track command. Please advise if there is any other way to achieve my requirement.

Thanks

Re: Requirement to shutdown FTD inside interface via SLA

Rob Ingram — Sat, 20 May 2023 18:07:07 GMT

@SHABEEB KUNHIPOCKER you can use the ASA EEM syntax with FlexConfig on the FTD.

What is your scenario to shutdown the FTD interface?...there might be a more elegant solution.

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sat, 20 May 2023 18:07:48 GMT

From first view you can use flexconfig to config eem in ftd.

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sat, 20 May 2023 18:10:32 GMT

https://community.cisco.com/t5/network-management/cisco-ftd-6-7-0-1-eem-quot-event-track-quot/td-p/4401894

Check this link

Re: Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Sun, 21 May 2023 04:36:44 GMT

Hi Rob,

The issue that the FTD is running ospf with core switch. The FTD has DMZ interface where they have an ESA. The customer has two data centers and when we do failover to the DC2, we need these DC1 DMZ routes to be removed from the routing table. My plan was to track an internet IP and shutdown the inside interface of FTD so that the ospf will be down from FTD to core and the DMZ route will be removed from the downstream devices.

Re: Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Sun, 21 May 2023 04:38:49 GMT

Hi,

I have seen this link. But as stated there is no option to configure event track. In my case I need to monitor an internet IP and when it is unreachable I need to run EEM. So I don’t think I can use the solution in the link.

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Sun, 21 May 2023 09:37:00 GMT

@SHABEEB KUNHIPOCKER event track is not supported on ASA and FTD. I just had a thought why dont you use the syslog ID "718063 Error Message %ASA-5-718063: Interface interface_name is down" and "718064 Error Message %ASA-5-718064: Admin. interface interface_name is down". as syslog are supported on EEM applet

on based of these log ID you can create the EEM applet and run it.

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sun, 21 May 2023 09:51:03 GMT

Yes you correct

Even track not support'

You can use syslog' but syslog for what

Here the Q

The answer you can use static route with track and use syslog for add remove this route to rib and config eem.

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Sun, 21 May 2023 09:59:41 GMT

syslog can be use against the "name if" here is the log id and description " "718063 Error Message %ASA-5-718063: Interface interface_name is down"

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sun, 21 May 2023 10:03:00 GMT

He use IP SLA because the FTD side not down when ISP interface down'

So we will use static route only for eem and detect it add remove.

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Sun, 21 May 2023 10:17:56 GMT

In that case there are the syslog id need to be configured.

609001
302020
302021
609002
622001

I get these syslog id from Cisco Document

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog.pdf

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sun, 21 May 2023 10:33:49 GMT

I am far from my PC I already run lab using this syslog, hope share this lab tonight

Re: Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Sun, 21 May 2023 12:20:45 GMT

Hello,

Our issue is that we cannot use static route as we are already running ospf in the FTD, and we need to remove some subnets from getting advertised to ospf when the upstream internet link goes down.

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sun, 21 May 2023 13:46:02 GMT

you detect the 8.8.8.8 use static route to 8.8.4.4, we talk here about any static route not specific one
route OUT 8.8.4.4 255.255.255.255 <ISP> track x
then use EEM and shut down or remove net under OSPF

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Sun, 21 May 2023 16:38:24 GMT

@SHABEEB KUNHIPOCKER you can configure the Interface syslog id as mentioned in my earlier post and run the EEM applet aganist it. If this is production network which I assume it is. There is a less chance of false positive as you or some one else from network team will shutting the any interface of the firewall. so syslog id 718063 and 718064 is your best bet. unless otherwise, you get the syslog id of the ospf adjacency syslog id and run against the EEM applet.

I am afraid you only have these options with EEM applet.

Re: Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Sun, 21 May 2023 18:57:20 GMT

Hello,

I tried it in my lab with syslog id 622001 in the em script. But unfortunately it did not work. Do I need to enable console logging in the FTD for this to work?.

Re: Requirement to shutdown FTD inside interface via SLA

MHM Cisco World — Sun, 21 May 2023 19:02:26 GMT

Did you config log level for this message?

If you want push the log message to other log level if you want

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Sun, 21 May 2023 19:52:20 GMT

First of all please rate the post as we are taking our personal time and helping you here. secnond share your em script.

Third. I have give a sample test it.

event manager applet Auto_Action description "ShutDown Interfaces" event syslog id 622001 action 1 cli command "enable" action 2 cli command "config t" action 3 cli command "interface Ethernet1/1" action 4 cli command "shutdown" output none

Re: Requirement to shutdown FTD inside interface via SLA

SHABEEB KUNHIPOCKER — Mon, 22 May 2023 07:27:51 GMT

Hello Sheraz/MHM,

I managed to shut the interface down with the syslog ID 622001. The issue was with logging and I created an event list in the platform settings and deployed it in FTD. But now the issue is that the interface will go down once the tracker is down. But when the internet link comes back up it is not enabled automatically. I believe I need to write another script to bring it up, but I am wondering what would be the parameter I should use in that script as the syslog ID 622001 is for both removal and addition of the tracked route.

The script I am running is shown below

event manager applet Internet-Down
description Wan Disconnected
event syslog id 622001
action 1 cli command "en"
action 2 cli command "config t"
action 3 cli command "interface GigabitEthernet0/1"
action 4 cli command "shutdown"
action 5 cli command "wr mem"
output none

Thanks

Re: Requirement to shutdown FTD inside interface via SLA

Sheraz.Salim — Mon, 22 May 2023 08:30:25 GMT

your understand is correct. you can use this sys ID 622001 again and put the interface/s as no shut. as according to the documentation log ID 622001 is for removal and same ID for adding it back.