Determining what transactions a policy blocked ...

Pat Fahey · ‎04-28-2017

Running an ASA5506 with FirePOWER 6.2. All is working well (within limits)

The question now is: I see transactions being blocked on the Home->ASA FirePOWER Reporting->Policies screen, but what transactions were blocked by that Policy (rule)?

A couple of the policies show blocked connections. I would like to know more information about what was blocked, and specifically why it was blocked. That would allow better tuning of the rules and allow better blacklisting (no sense wasting cycles analyzing flows that should be blacklisted)

Problem is: When I click on the policy name (expecting to see the blocked transactions) on the Home->ASA FirePOWER Reporting->Policies screen, all I see are statistics that really provide no value for the analysis of the block(s).

Has anyone run into this problem, and found a solution?

I guess I could run a search on the syslog server to find the information, but it seems like something we should be able to get right from FirePOWER.

Thanks in advance for your help.

Marvin Rhoads · ‎04-28-2017

Since you're using ASDM your analytical tools are limited. If you can manage to catch a connection in real time you can see the blocked connection under the Monitoring section.

If you were using FirePOWER Management Center, you could query the database and pull up the historical data for analysis of blocked connections.

Pat Fahey · ‎05-01-2017

Thanks, Marvin.

I am (slowly) working my way through setting up a virtual FMC.