Configure syslog only for selected networks using FMC

igor.hamzic81 · ‎11-19-2019

Hi all. I would like to know if there is a way to enable of sending logs only for selected network ranges that are traversing our FTD firewall? Maybe using an ACL somewhere that will define for what networks we want the logs sent?

The reason for this is that there are several other devices in the path of some of the network traffic that are sending full logs to our syslog server for all networks and we wish to avoid duplication of the logs where we can.

Thanks in advance for your help.

nspasov · ‎11-20-2019

Hello Igor-

I think what you suggested is the solution to your question. Simply create a rule in your ACP that is specific to those subnets/IPs, place that rule high enough in your ACP so it gets hit before a more generic rule and configure the logging settings accordingly. Then, you the logging settings in your more generic rule can be completely different and not include your syslog server.

I hope this helps!

Thank you for rating helpful posts!

igor.hamzic81 · ‎12-04-2019

Hi. I've had an urgent project so this was on hold for now.

I have configured logging options both under Devices -> Platform settings -> Syslog and under Policies -> Access control -> Logging options(created an Alert to syslog - facility LOCAL4, severity INFO) for specific entries in the ACP following a Cisco guide.

Logging from the device is working OK as they are seen on our syslog server but logging for connections for specific ACP entries is not working as I can't see them on our syslog server.

It seems odd that one should work but the other won't. Is there something else to be done for sending connection logging for ACP entries to syslog that I'm missing?