Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
20615
Views
86
Helpful
3
Replies

How do you check hitcounts in FMC?

sailendrahjt
Level 4
Level 4

‎03-23-2017 08:55 AM - edited ‎03-12-2019 02:06 AM

Everyone, I am trying to get hitcounts for my access control policy rules applied to FTD device in Firepower Management Console 6.2. Does anyone know how to check hitcounts?

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Jesper Erbs2
Level 1
Level 1

‎03-28-2017 01:14 AM

Hello,

1. Connect to the FTD sensor using SSH.

2. Type connect ftd to connect to the FTD sensor, so you get the > prompt.

3. Type the command: show access-control-config

Under each rule there is a rule hits number, which shows you the hitcount.

    Rule Hits             : 76243

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/fdm/fptd-fdm-config-guide-620/fptd-fdm-access.html

If you would like to verify specific traffic you could also use the system support firewall-engine-debug command, which show you the specific traffic received on the FTD (Or Firepower services) based on a filter you define. Here is an example:

> system support firewall-engine-debug

 

Please specify an IP protocol: tcp

Please specify a client IP address: 172.25.1.14

Please specify a client port:

Please specify a server IP address:

Please specify a server port:

Monitoring firewall engine debug messages 

172.25.1.14-62321 > X.X.X.X-443 6 AS 0 I 0 New session

172.25.1.14-62321 > X.X.X.X-443 6 AS 0 I 0 Starting with minimum 0, id 0 and IPProto first with zones -1 -> -1, geo 0 -> 0, vlan 0, svc 0, payload 0, client 0, misc 0, user 60, url

Joshua Robertson
Level 1
Level 1

‎09-11-2017 09:03 AM

Another option if you want to have hitcounts available in FMC is to go to Analysis > Custom > Custom Workflows and create a new workflow.  You can give the workflow a name like 'ACL Hits' or whatever you like and Select the 'Connection Events' table.  Next hit 'Add Page' and select the fields, generally I use Access Control Rule for the first column with priority of 3, Count next with a priority of 1, and Access Control Policy for the third cloum with a priority of 2 for colums/grouping.  After this, you can go to Analysis > Connections > Events and click the 'Switch Workflow' link to select your new ACL Hits page.  One neat feature is you can change the timeframe at the top right to only see counts within the specified range.  Also be sure to log connection events (in the Access Control and/or Prefilter policies) to populate the information.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card