Re: access-list hit count in FTD

jkim3 · ‎05-30-2019

We have FMC ( Ver 6.2.3.3 ) anf FTD ASA5516-x now .

I have set access control policy with application + URL , but I can't see any hit count on FTD.

> show running-config | grep 268439554
access-list CSM_FW_ACL_ remark rule-id 268439554: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439554: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554
access-list CSM_FW_ACL_ advanced permit ip ifc NONPCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554
> show access-list | grep 268439554
access-list CSM_FW_ACL_ line 159 remark rule-id 268439554: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 160 remark rule-id 268439554: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 161 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0x68dbf84e
access-list CSM_FW_ACL_ line 161 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0x68dbf84e
access-list CSM_FW_ACL_ line 162 advanced permit ip ifc NONPCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0xa07662a7
access-list CSM_FW_ACL_ line 162 advanced permit ip ifc NONPCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0xa07662a7
>

How can I verify what wrong i have ?

Marvin Rhoads · ‎05-30-2019

Are you showing any Block connection events (in FMC Event viewer) that are a result of the configured rule?

The hit count definitely works in FTD cli - I just confirmed on a system running 6.2.3.11.

Try using this command:

> show access-list | exclude hitcnt=0

jkim3 · ‎06-03-2019

Hi Marvin ,

Thanks for your reply , but I am so confused why I can't see log

> show access-list | grep 268440579
access-list CSM_FW_ACL_ line 138 remark rule-id 268440579: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 139 remark rule-id 268440579: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=824) 0x68dbf84e
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=824) 0x68dbf84e

After I clear the counter , I see 824 hits , but I can't see any log

jkim3 · ‎06-03-2019

Hi Marvin ,

As we saw hit count is increased then before , But I can't see any block log on FMC

> show access-list | grep 268440579
access-list CSM_FW_ACL_ line 138 remark rule-id 268440579: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 139 remark rule-id 268440579: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=48315) 0x68dbf84e
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=48315) 0x68dbf84e

Marvin Rhoads · ‎06-03-2019

Have you selected "Log at beginning of Connection" in the ACP rule and also indicated that the log destination should be the Event Viewer?

jkim3 · ‎06-04-2019

Hi Marvin ,

You're right . It is checked log at beginning of connection .

I can't check log at end of connection . The box is deactivated . why ?

I can't see any events as below . it is extended 6 hours

jkim3 · ‎06-06-2019

Because action is block , I can't choose log of end of connection . System block traffic start of connection .

And I can see log now .