Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2431
Views
0
Helpful
1
Replies

FTD | unable to log deny policy on syslog server

ccg-security
Level 1
Level 1

‎04-15-2019 11:18 PM - edited ‎02-20-2020 09:08 PM

Hello Team,

 

Our cisco ftd is working properly but when we tried to check on the syslog server we're unable to see the logs of deny policy. Anyone who expirience this incident?

 

Best regards,

 

Labels:
0 Helpful
1 Reply 1

joekislo
Level 1
Level 1

‎05-05-2020 02:14 PM - edited ‎05-05-2020 02:15 PM

FTD appears to by default disable certain log messages that the ASA had on by default.  Including deny's.

On FTD 6.6.0: Devices->Platform Settings->Pencil Icon->Syslog->Syslog Settings

Here you will see a list of Syslog IDs which cisco decided to by default not log.

The one you are looking for is 106023.  Click the Pencil, check the enabled Checkbox.  Save and deploy.

Unfortunately it'll be of somewhat limited use, because the log message won't actually include what access rule/group blocked the connection like the ASA did.  It'll always just say "CSM_FW_ACL_" blocked it, since the FTD stores everything in a flat lina access-list.

You should go through the rest of the blocked Syslog IDs to see if there's anything else you want.  The meaning of the Syslog IDs are here:

https://www.cisco.com/c/en/us/td/docs/security/asa/syslog/b_syslog/syslogs-sev-level.html

There are several other ones which are quite useful if you're accustomed to debugging traffic via syslog.

0 Helpful
Customers Also Viewed These Support Documents