Solved: Re: Configure Firesight Management Center to create workflow for single ACL rule hits

zobaarul · ‎06-25-2020

Hi,

I have found the below article which describes how to create a workflow in FMC to display hit count for access rules.

https://www.cisco.com/c/en/us/support/docs/security/firepower-management-center/211515-Configure-Firesight-Management-Center-to.html

This works great. But we have several thousand rules under one access policy and the workflow can retain hit count data for only about 10 minutes. As this workflow displays hit counts for all the access rules

Is it possible to create workflow in this manner for only one access rule under a access policy?

Any idea would be appreciated

Thanks in advance,

Zobaarul

Marvin Rhoads · ‎07-05-2020

I see. If your ACP rule logs connections it would be better to just do Analysis > Connections and filter on the interesting traffic. You could create a report from such a query and get information for as far back as your FMC has connection events.

View solution in original post

Marvin Rhoads · ‎06-25-2020

What is your use case for wanting this? Is it to store the data or present in a report or show on a dashboard or something else?

zobaarul · ‎06-27-2020

Hi,

Thanks for your feedback.

We have some access rules with larger block/any keyword in source, destination and port field. We want to find out the specific IPs/ports in those any or larger blocks which are actually being used or getting any hits. Then replace the larger blocks or any keywords with these specific IPs/ports

Using the method mentioned in the link I shared in my post, we could see the hits. But only for a small amount of time like previous 5 to 10 minutes.

I think this workflow generates a report based on the connection event logs in event viewer. So even If i could make such workflow with only one access rule, it might not get me additional data. Increasing event viewer retaining capacity might provide me with more data.

If you have any idea about this and could share here, it would be much appreciated

Marvin Rhoads · ‎07-05-2020

I see. If your ACP rule logs connections it would be better to just do Analysis > Connections and filter on the interesting traffic. You could create a report from such a query and get information for as far back as your FMC has connection events.

zobaarul · ‎07-08-2020

Thanks for your suggestion. Filtering connection events with access rule name works for me better than the workflow

Marius Gunnerud · ‎07-08-2020

If you are running version 6.4 or higher you could use the Analyze Hit Counts function located on the Access Control Policy page. Will show you the name of the rule, how many hits the rules have and the time of last hit.

--
Please remember to select a correct answer and rate helpful posts

zobaarul · ‎08-04-2020

Thanks for the reply. We use that option. But only seeing the number of hits does not meet my requirement here. I need the source IP, destination IP and port for a particular hit.

Thought connection event retains this info for s short time. Combining the search from connection event and analyze hit count somewhat served my purpose.