04-10-2017 02:30 PM - edited 03-12-2019 06:21 AM
I need to allow a host access to three separate FQDNs.
I've got the rule in my ASA, but this appears to be hanging at the FirePOWER IPS.
I do _NOT_ have a URL license, but I was told that I could still create manual rules around URLs without this licensing.
Is there a special way to do this?
Presently, I have a rule allowing my soruce hosts to "any" destination networks, port is tcp/443, and URL contains the three URLs I wish to allow.
Is there some equivalent to the ASA's packet-tracer tool to allow me to test traffic flow via the IPS?
Solved! Go to Solution.
04-12-2017 10:08 AM
When an ASA FirePOWER module is the cause for a drop action, it doesn't actually drop the connection itself - instead it sends a request to the parent ASA to terminate the tcp session (or udp flow). That request can be seen in a syslog message. The message IDs 434002, 434003 and 434004 are shown here:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-8112279
Make sure you are logging and look for those messages to confirm the sfr module is what's telling the ASA to drop the flow.
You can also see it in the connection records of your FirePOWER Managment Center if you're using that. If you're using ASDM only it's a bit more challenging as you can't do historical analysis of connections (only near real time) but you may be able to catch the connection on the firePOWER module there as well.
04-12-2017 10:08 AM
When an ASA FirePOWER module is the cause for a drop action, it doesn't actually drop the connection itself - instead it sends a request to the parent ASA to terminate the tcp session (or udp flow). That request can be seen in a syslog message. The message IDs 434002, 434003 and 434004 are shown here:
http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-8112279
Make sure you are logging and look for those messages to confirm the sfr module is what's telling the ASA to drop the flow.
You can also see it in the connection records of your FirePOWER Managment Center if you're using that. If you're using ASDM only it's a bit more challenging as you can't do historical analysis of connections (only near real time) but you may be able to catch the connection on the firePOWER module there as well.
04-12-2017 10:08 AM
Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide