cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8041
Views
5
Helpful
11
Replies

No Intrusion Events populating in the FMC

iolide
Level 1
Level 1

Hello,

 

I've recently come across an issue where there are no Intrusion Events being populated in the FMC. The last Intrusion event log was about 10 days ago, but now there is "No Data" under Overview -> Intrusion and when I go to Analysis -> Intrusion -> Events; there are no events being shown. 

 

Nothing has changed configuration wise, but the FMC was upgraded to 6.4.0 while the sensors are running on 6.1.0/6.2.0.

Any Ideas or suggestions?

 

Thanks for help.

 

11 Replies 11

nspasov
Cisco Employee
Cisco Employee

A couple of things to check:

Is the device enabled with IPS license

Do you have an IPS policy applied to an Access Control Policy

Is logging enabled for the IPS events

Generate some IPS events manually and check again. It is perhaps possible that there has not been any intrusions in the time window that you are checking for :)

Thank you for rating helpful posts!

Thanks for the reply nspasov.

 

To answer the questions; we do have IPS license as well as a few intrusion policies applied to the Access Control Policies configured. Everything on the configuration side appears to be set and working; it's just that the intrusion events stopped suddenly on the 18th. I am not sure if it is because we have Variable Sets defined with networks? Or if this is due to the FMC running on 6.4.0 while the sensors are running on 6.1.0/6.2.0. 

 

Also, what is the best way to generate some manual IPS events to check on this?

 

I am fairly new to the Sourcefires, so I REALLY appreciate the feedback/assistance.

 

Thank you!

It is possible that you are hitting a defect associated with version 6.4. However, I just tested this in my lab and I am definitely seeing intrusion events in my event viewer. What patch level are you running? I tested this while running with patch-1. Patch-2 just got released and it resolves a good amount of defects. 

With regards to generating IPS events. I use the wonderful and free version of Qualys Community Edition:

https://www.qualys.com/community-edition/

You can scan a few IPs for free and if you find it useful, you can always get the paid version. 

I hope this helps!

Thank you for rating helpful posts!

In my environment the firings last about 2 hours and then stop.

drivera_
Level 1
Level 1

Hi, iolide

 

Did you find a solution for this? I'm having the same issue.  When trying to see if there is some intrusion events, we don't see anything.  I attached the screenshoot I took.

 

We have already configured an IPS policy and apply it to an Access Control Rule too.  I've been watching videos and reading many documenation, but I haven't found the solution yet.

 

 

 

 

Same issue for me here since 6.4.0 upgrade, but only on one of the HA FMC? Swapping to secondary has intrusion events. 

i too have same issue after reboot on only one of the HA pair, did u find any resolution ?

This can be caused by the following bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb59619

If you are hitting that, a reboot will clear it.

did u find any solution for this , iam still having issue

Hi

did you find solution , i am having the same issue.

 

Thanks in advace

 

Crizz
Level 1
Level 1

Hi, iolide.

Did you find a solution for this? I'm having the same issue.

Thank you.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: