Solved: Re: Cisco ASA IPS Connection Events always shows reason column blank

Kirk · ‎01-27-2018

When I look at connection events the Reason field is always blank. Is there anyway to correlate this with a line in the Access Control policy? If not what is the field for and how may I use it?

Thanks,

Kirk

Marvin Rhoads · ‎01-31-2018

Sorry - Denison hijacked your thread and asked about IME (IPS Manager Express). I didn't notice the changed username when I replied to his question.

Regarding events in FMC, you are correct about the column labeled "Reason". It is a bit misleading since it will only ever show "IP Block, IP Monitor, or User Bypass" - i.e the Security Intelligence reasons.

However when you are blocked (or allowed) the relevant Access Control Policy and Rule still shows up in the table view of connection events. It is in a column that is by default off to the right and you normally need to scroll horizontally to see it (awful user interface design I know).

You can customize the view or make a report to move those columns over. See the Table View section in my example report snippet below - I created a rule in my Lab ACP policy to block Facebook and then tried to access it and was duly blocked. The report shows which policy and rule I encountered.

FMC Connection report.PNG

View solution in original post

Marvin Rhoads · ‎01-30-2018

Typically we only see a reason for a block. Allow events don't show one.

You can always use packet tracer (in 6.2+) to see exactly what ACP rule is hit.

Kirk · ‎01-30-2018

Even blocks are showing as blank.

denilson.mota · ‎01-30-2018

Hi kirk,

Can you please let me now where can I find the reason column for comparing purpose, I am using IME 7.2.7

Marvin Rhoads · ‎01-31-2018

Sorry - I incorrectly assumed you were using the current product, not the old IPS. That one is almost end of life.

I don't recall off the top of my head how or if you can see block reason on that in near real time. I know it should be a reportable item.

Kirk · ‎01-31-2018

I might be a little out of date but I'm using the FMC with 6.2.0.1 software version. So it should be fairly well supported for a long time.

I have just noticed that there are so far two Reasons have populated the Reason field in the last 48 hours. IP block and DNS block. Both are blocked by Security Intelligence Categories not by Access Control Policies.

So I think my understanding of the reason column was flawed. It seems like it is only used when the reason for blocking is outside of the Access Control Policies.

Thoughts?

Marvin Rhoads · ‎01-31-2018

Sorry - Denison hijacked your thread and asked about IME (IPS Manager Express). I didn't notice the changed username when I replied to his question.

Regarding events in FMC, you are correct about the column labeled "Reason". It is a bit misleading since it will only ever show "IP Block, IP Monitor, or User Bypass" - i.e the Security Intelligence reasons.

However when you are blocked (or allowed) the relevant Access Control Policy and Rule still shows up in the table view of connection events. It is in a column that is by default off to the right and you normally need to scroll horizontally to see it (awful user interface design I know).

You can customize the view or make a report to move those columns over. See the Table View section in my example report snippet below - I created a rule in my Lab ACP policy to block Facebook and then tried to access it and was duly blocked. The report shows which policy and rule I encountered.

FMC Connection report.PNG