topic Re: Default Action Block - Log in Network Security

Default Action Block - Log

Otvforte — Mon, 07 Jul 2025 13:44:15 GMT

Hi !

I'm start learning FTD (FP1010) and trying to figure out why I can't see external blocked SYN packets on FDM web interface (Events Tab). They are visible only on syslog messages, like this example: 07-07-2025 10:29:14 Local4.Error 192.168.0.1 Jul 07 2025 13:29:14: %FTD-3-710003: TCP access denied by ACL from x.x.x.x/41322 to outside:y.y.y.y/22

Also, if its due to the different engines (LINA and Snort), what kind of messages are supposed to show onFTD web interface ? Only those related with Next Gen components ?

The Default Action on Policies are configured to Block and Log.

Re: Default Action Block - Log

MHM Cisco World — Mon, 07 Jul 2025 14:08:37 GMT

Can you more elaborate

thanks

MHM

Re: Default Action Block - Log

Otvforte — Mon, 07 Jul 2025 15:06:41 GMT

Sure sir. I know the firewall is blocking WAN to LAN connections by default (Default Action on Policies is set to Block). I'm able to see these blocked connections on syslog messages (remote server or even with CLI 'show logging') but the same blocked connections do not show on FDM - Monitoring / Events logs. Why blocks on Defaul Action do not show on the events when using at the FDM ? On the other hand, for rules that I create manually (like block a ping for example), I can see the block information on the FDM Monitoring / Events option and on syslog as well.

Maybe this is the expected behavior, I'm just trying to understand.

Re: Default Action Block - Log

MHM Cisco World — Mon, 07 Jul 2025 15:22:09 GMT

in the left down corner there is default action and it Block
and by defualt there is no log
you can click in icon to enable log for this action

MHM

Re: Default Action Block - Log

Otvforte — Mon, 07 Jul 2025 15:59:46 GMT

Good to know that there is no log for Default Action (block), thank you.

Re: Default Action Block - Log

MHM Cisco World — Mon, 07 Jul 2025 16:03:48 GMT

You are so welcome

MHM