cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


17380
Views
0
Helpful
13
Replies
Beginner

FirePower Threat Defense Real time log viewer

Hi,

In cisco ASDM tool we have a section for real time monitoring the traffic which flow on our device ( monitoring > logging > real time log viewer) in this tab we can monitor all network activity and flow creation and teardown  but when we installed FirePower Threat Defense software and add it on Cisco FMC , actually we lost this real time monitoring ,  How we can monitor real time log int FMC ? Is there any option on FMC for real time Log viewer just ASA ASDM?

thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

I have heard that real-time

I have heard that real-time log view/monitor is coming to FireSIGHT but was never given an actual version. As of right now, this feature is not available. 

Sorry to bring the bad news :)

Thank you for rating helpful posts!

Hall of Fame Master

Sorry but there's not

Sorry but there's not currently any such capability in FMC (or on the sensor itself). It's not in any short term plan either (although customer demand can sometimes result in development resources being allocated sooner).

The closest you can come right now is to create a syslog server and tail the syslog output.

There are the cli system support commands you can run that allow you to do packet trace and capture.

You can also access them via the GUI under System > Health > Monitor > (select device) > Advanced Troubleshooting. FTD devices will have those tools exposed there. (Note you can only do this for FTD devices and only from FMC.)

13 REPLIES 13
Cisco Employee

I have heard that real-time

I have heard that real-time log view/monitor is coming to FireSIGHT but was never given an actual version. As of right now, this feature is not available. 

Sorry to bring the bad news :)

Thank you for rating helpful posts!

Beginner

You can also use the

You can also use the Connection-< Events tab in FMC. I agree it's not as good as the real time log but it can be very helpful

Hall of Fame Master

Sorry but there's not

Sorry but there's not currently any such capability in FMC (or on the sensor itself). It's not in any short term plan either (although customer demand can sometimes result in development resources being allocated sooner).

The closest you can come right now is to create a syslog server and tail the syslog output.

There are the cli system support commands you can run that allow you to do packet trace and capture.

You can also access them via the GUI under System > Health > Monitor > (select device) > Advanced Troubleshooting. FTD devices will have those tools exposed there. (Note you can only do this for FTD devices and only from FMC.)

Beginner

Thanks for your helpful

Thanks for your helpful answer, so we are waiting for the future.

thanks all

Contributor

Any update on this?  

Any update on this?  

What about AnyConnect VPN Support coming to FTD?

Hall of Fame Master

Nothing on the log viewer.

Nothing on the log viewer.

Remote access SSL VPN (for AnyConnect clients) will be introduced in FirePOWER 6.2.1 for FTD on the FirePOWER 2100 at that product's FCS date (First Customer Ship - sheduled for 22 May last I heard). The remaining FTD platforms will get it in a subsequent release shortly thereafter.

Marvin, I would like to

 

Thanks

Hall of Fame Master

My understanding is that when

My understanding is that when you have a syslog (or SNMP trap) action as part of a policy that has been deployed to a sensor (FTD or FirePOWER) that the syslog events and SNMP traps originate from the sensor itself.

See Oliver's response here confirming that behavior:

https://supportforums.cisco.com/discussion/13251571/firepower-rule-connection-logging-syslog-question

The FMC will not necessarily show everything that's going on at the sensor - only events that are configured to create event logs will be sent up to FMC.

FX-OS chassis level logs are certainly useful but only if you have somebody actually watching them or atl least checking them periodically. Few things are less useful than a log entry that nobody sees.

Regarding backups, see the configuration guide here:

http://www.cisco.com/c/en/us/td/docs/security/firepower/621/configuration/guide/fpmc-config-guide-v621/backup_and_restore.html

It notes:

You cannot create or restore backup files for NGIPSv, Firepower Threat Defense physical or virtual managed devices orASA FirePOWER modules. To back up event data, perform a backup of the managing Firepower Management Center.

...which confirms what you are seeing.

Highlighted

Re: Sorry but there's not

Hello Marvin,

Need your help /input please.

 

On FTDs, we are logging traffic and sending to the external syslog server. we want to see some historical data ( logs ) to troubleshoot any issues.

 

We noticed FMC is only logging the traffic for last 24 hours, I have increased the database size and hopefully this will increase the data capacity.

 

Another issue is  with sending traffic tot he external syslog server, I want to enable SYSLOG ID - 106100 with logging level as "informaitonal" , idea behind this is to get a log whenever there is any deined traffic at access control policy. however, I am getting error while pushing the policy once have 106100 enabled.  Please advise how we could do this in FTD?  I have tried using Flexconfig however found the same issue.

 

in suammry - we want to have logs at Syslog server , need to know if a traffic is being denied by ACEs , need to the rule that is dropping the traffic.

 

Thanks

Contributor

Re: Sorry but there's not

I find it strange that cisco is not working on sort of viewer like we had on the ASA for the FTD, and for the FMC. 

someone from cisco needs to respond to this thread.

 

 

Beginner

Re: Sorry but there's not

Im with you, This is unacceptable. 

 

I'll bring this up to my local reps and see what the response is.

Beginner

Re: Sorry but there's not

Any updates on this?

Beginner

Re: Sorry but there's not

You can use the capture command on the CLI of the device same as the ASA.

 

Example

 

Capture in interface inside match ip 192.168.1.0 255.255.255.0 any

 

The use the show capture command to see.

 

 

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards
This widget could not be displayed.