Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2130
Views
10
Helpful
8
Replies

Monitoring with FTD firepower 2100

Go to solution
marcio.tormente
Level 4
Level 4

‎12-11-2018 04:37 AM - edited ‎02-21-2020 08:33 AM

Hello guys!

I have no experience with FTD firepower and I'm lost with the monitoring.

In the ASA using ASDM I can make monitoring in real time to se where the traffic is blocking or not, but I have no idea how can I do it using Firepower.

Anyone can help me with this case?

 

Thanks

 

Marcio

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
phil.hydea
Level 1
Level 1

‎12-11-2018 05:11 AM

Hi Marcio

 

With in the FMC (Firepower Management Center), you can use Analysis > Connection events to filter and drill down on standard connection events that pass through the managed devices.

You can use Analysis > Intrusion Events to assess what is being blocked/monitored by the Snort engine.

Also, if you have the network discovery policy configured to build up host intelligence of your internal protected nodes (Desktops, laptops, servers etc), Analysis > Context Explorer will give you accurate IOCs (Indications of Compromise) and what devices/alerts should be triaged first.

 

As a general rule of thumb, the Intrusion alerts are rated 1-4 then 0 (1 being critical, 0 being informational). Look at the critical ones first.

The Access Control Policy ties in all the 'sub policies' together (File/Malware, Prefilter (Layer 1-4), Intrusion (> Layer 7), SSL, DNS etc.)

 

Hope this helps.

 

Phil

View solution in original post

8 Replies 8

Go to solution
phil.hydea
Level 1
Level 1

‎12-11-2018 05:11 AM

Hi Marcio

 

With in the FMC (Firepower Management Center), you can use Analysis > Connection events to filter and drill down on standard connection events that pass through the managed devices.

You can use Analysis > Intrusion Events to assess what is being blocked/monitored by the Snort engine.

Also, if you have the network discovery policy configured to build up host intelligence of your internal protected nodes (Desktops, laptops, servers etc), Analysis > Context Explorer will give you accurate IOCs (Indications of Compromise) and what devices/alerts should be triaged first.

 

As a general rule of thumb, the Intrusion alerts are rated 1-4 then 0 (1 being critical, 0 being informational). Look at the critical ones first.

The Access Control Policy ties in all the 'sub policies' together (File/Malware, Prefilter (Layer 1-4), Intrusion (> Layer 7), SSL, DNS etc.)

 

Hope this helps.

 

Phil

Go to solution
marcio.tormente
Level 4
Level 4
In response to phil.hydea

‎12-11-2018 05:41 AM - edited ‎12-11-2018 05:42 AM

Hello Phil!

 

thanks for your support.

 

I tried as you said, but after go to "Analysis > Connection events", I have many option in the "jump to" as I can show in the attached, if I change to "host" for example, I have no result.

Or If I make a filter by network and put the IP of the host, again I have no result. Do you know why?

 

thanks 

Preview file
35 KB
0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to marcio.tormente

‎12-11-2018 07:06 AM

Hi,

 

Do you have an ACP configured with logging enabled?

 

Cheers

Phil

0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to phil.hydea

‎12-11-2018 07:06 AM

Also, as well as ACP configured with logging, have you tried increasing the time window (top right of the table)?
0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to phil.hydea

‎12-11-2018 07:14 AM

sorry, but what is ACP?

0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to marcio.tormente

‎12-11-2018 07:19 AM

ACP is access control policy. It's where all the ACL (Access control list) style rules and additional upto Layer 7 inspection is configured.

 

Check this out:

https://networkdirection.net/articles/asa/firepowermanagementcentre/fmcaccesscontrolpolicies/

 

Have you added your FTD devices to the FMC already? do you have licensing sorted? (if not, no problem, use evaluation mode for a 90 day window)

0 Helpful

Go to solution
marcio.tormente
Level 4
Level 4
In response to phil.hydea

‎12-11-2018 07:21 AM

Yes I have the ACP configured and the device is on the FMC phisical appliance with the the normal license (not evaluation).

0 Helpful

Go to solution
phil.hydea
Level 1
Level 1
In response to marcio.tormente

‎12-11-2018 07:49 AM

So do have you ACP rules configured with logging:

Edit the rule, click Logging tab, either Log at Beginning and/or End of
Connection
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card