Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1790
Views
0
Helpful
1
Replies

FirePower logs missing certain hits

systemtek
Level 1
Level 1

‎04-23-2019 03:19 AM

Hi All

using Cisco FirePower and created a rule to allow web traffic on 80 and 443, can see traffic hitting this rule in the logs this is fine.

 

But, we are using "Inherit from base policy (Balanced Security....) so lets say we visit a URL on port 678 it is allowed but does not match a rule, so it does not show in the logs, as far as I can see we have logging enabled on this policy but why wont it log ? Sames goes if we hit something that is blocked by this policy lets say insecure port 21 nothing in logs.

Ive checked as many logs as I can but nothing for such hits.

 

Any Ideas ?

 

Thanks 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎04-23-2019 08:52 AM

I have seen that sometimes it takes a bit for the logs to populate on the FMC when the logging is set to "End of connection". The FTD has to wait till the browser session or connection is completely closed before it can log that event. Second problem is that it could be hitting a rule before the actual logged rule. Try running a firewall-engine-debug to see if the right ACP rule is matched.

 

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212330-firepower-management-center-display-acc.html#anc6

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card