05-30-2019 01:03 PM - edited 02-21-2020 09:10 AM
We have FMC ( Ver 6.2.3.3 ) anf FTD ASA5516-x now .
I have set access control policy with application + URL , but I can't see any hit count on FTD.
> show running-config | grep 268439554
access-list CSM_FW_ACL_ remark rule-id 268439554: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ remark rule-id 268439554: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554
access-list CSM_FW_ACL_ advanced permit ip ifc NONPCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554
> show access-list | grep 268439554
access-list CSM_FW_ACL_ line 159 remark rule-id 268439554: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 160 remark rule-id 268439554: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 161 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0x68dbf84e
access-list CSM_FW_ACL_ line 161 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0x68dbf84e
access-list CSM_FW_ACL_ line 162 advanced permit ip ifc NONPCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0xa07662a7
access-list CSM_FW_ACL_ line 162 advanced permit ip ifc NONPCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268439554 (hitcnt=0) 0xa07662a7
>
How can I verify what wrong i have ?
05-30-2019 07:18 PM
Are you showing any Block connection events (in FMC Event viewer) that are a result of the configured rule?
The hit count definitely works in FTD cli - I just confirmed on a system running 6.2.3.11.
Try using this command:
> show access-list | exclude hitcnt=0
06-03-2019 09:39 AM
Hi Marvin ,
Thanks for your reply , but I am so confused why I can't see log
> show access-list | grep 268440579
access-list CSM_FW_ACL_ line 138 remark rule-id 268440579: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 139 remark rule-id 268440579: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=824) 0x68dbf84e
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=824) 0x68dbf84e
After I clear the counter , I see 824 hits , but I can't see any log
06-03-2019 10:15 AM
Hi Marvin ,
As we saw hit count is increased then before , But I can't see any block log on FMC
> show access-list | grep 268440579
access-list CSM_FW_ACL_ line 138 remark rule-id 268440579: ACCESS POLICY: BFTD_Base - Mandatory
access-list CSM_FW_ACL_ line 139 remark rule-id 268440579: L7 RULE: PCI-to-Block
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI object BAJA_PCI ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=48315) 0x68dbf84e
access-list CSM_FW_ACL_ line 140 advanced permit ip ifc PCI 10.48.20.0 255.255.255.0 ifc Internet_Alestra any4 rule-id 268440579 (hitcnt=48315) 0x68dbf84e
06-03-2019 08:13 PM
Have you selected "Log at beginning of Connection" in the ACP rule and also indicated that the log destination should be the Event Viewer?
06-04-2019 07:55 AM
Hi Marvin ,
You're right . It is checked log at beginning of connection .
I can't check log at end of connection . The box is deactivated . why ?
I can't see any events as below . it is extended 6 hours
06-06-2019 08:22 PM
Because action is block , I can't choose log of end of connection . System block traffic start of connection .
And I can see log now .
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide