Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
653
Views
0
Helpful
1
Replies

ASA Firepower Sensor Deployment and Logging

QUARK TARO
Level 1
Level 1

‎03-07-2017 04:15 AM - edited ‎03-12-2019 06:19 AM

I am deploying ASA5525-X with Firepower IPS using Firesight 750 appliance and I need some basic guidance.

I have defined ACL on the firewall with logging enabled and directling all accepted traffic to IPS sensor.

Now since the ACL's are enabled with logging on ASA, I dont want to see the same logs on Firesight, instead I need logs only for the matching IPS signtaures. I have taken the following approach, please coreect me if I am doing anything wrong

Define the same ASA ACL on the Firesight control policy. Deselect logging under Rule-> Logging.

I beleive still the intrusion logs will be generated based on the rules on Intrusion policy.

Labels:
0 Helpful
1 Reply 1

tarjoshi
Level 1
Level 1

‎03-21-2017 03:38 PM

The sfr module on the ASA acts as an individual unit and the logging and action taken by it are completely separate.

The logging for the ACLs will show you information for the traffic matching that ACL, on the sourcefire you get details about the packets like URLs, ports, categories and other details based on the type of rule configured and logging options. 

If you only want to see the logs for the IPS signature, under the Access control create an "Allow" rule for the desired traffic and apply an Intrusion policy to the rule with logging enabled. You do not need to create the ACLs on the sourcefire to get the details. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card