Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1048
Views
0
Helpful
2
Replies

ASA-5525X / FirePOWER IPS FQDN/URL rule

Go to solution
brian.emil.harris
Level 1
Level 1

‎04-10-2017 02:30 PM - edited ‎03-12-2019 06:21 AM

I need to allow a host access to three separate FQDNs.

I've got the rule in my ASA, but this appears to be hanging at the FirePOWER IPS.

I do _NOT_ have a URL license, but I was told that I could still create manual rules around URLs without this licensing.

Is there a special way to do this?

Presently, I have a rule allowing my soruce hosts to "any" destination networks, port is tcp/443, and URL contains the three URLs I wish to allow.

Is there some equivalent to the ASA's packet-tracer tool to allow me to test traffic flow via the IPS?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2017 10:08 AM

When an ASA FirePOWER module is the cause for a drop action, it doesn't actually drop the connection itself - instead it sends a request to the parent ASA to terminate the tcp session (or udp flow). That request can be seen in a syslog message. The message IDs 434002, 434003 and 434004 are shown here:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-8112279

Make sure you are logging and look for those messages to confirm the sfr module is what's telling the ASA to drop the flow.

You can also see it in the connection records of your FirePOWER Managment Center if you're using that. If you're using ASDM only it's a bit more challenging as you can't do historical analysis of connections (only near real time) but you may be able to catch the connection on the firePOWER module there as well.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-12-2017 10:08 AM

When an ASA FirePOWER module is the cause for a drop action, it doesn't actually drop the connection itself - instead it sends a request to the parent ASA to terminate the tcp session (or udp flow). That request can be seen in a syslog message. The message IDs 434002, 434003 and 434004 are shown here:

http://www.cisco.com/c/en/us/td/docs/security/asa/syslog-guide/syslogs/logmsgs1.html#pgfId-8112279

Make sure you are logging and look for those messages to confirm the sfr module is what's telling the ASA to drop the flow.

You can also see it in the connection records of your FirePOWER Managment Center if you're using that. If you're using ASDM only it's a bit more challenging as you can't do historical analysis of connections (only near real time) but you may be able to catch the connection on the firePOWER module there as well.

0 Helpful

Go to solution
brian.emil.harris
Level 1
Level 1
In response to Marvin Rhoads

‎04-12-2017 10:08 AM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card