Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3475
Views
1
Helpful
5
Replies

DNS Host resolution on FMC Firepower reports

Go to solution
barkerr01
Level 1
Level 1

‎02-01-2022 01:59 AM

When we had the old Firepower console for ASA module, the reporting would show DNS host resolution for internal and external hosts. This was useful to see at a glance what hosts were being shown in the reports without having to cross reference internal IP addresses or perform Whois lookups on external addresses. On the new FMC reports, we only see the IP address. I can't remember where the option was to turn the DNS resolution on for reporting on the old system (I seem to recall it was pretty well hidden) and I can't find it anywhere obvious on the FMC. Does anyone know where this can be turned on?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to barkerr01

‎02-01-2022 09:00 AM - edited ‎02-01-2022 09:19 AM

@barkerr01 a couple of places need to be set.

1. DNS for the FMC itself. Set it under System > Configuration > Management Interfaces > Shared Settings

2. DNS cache (see below) "You can configure the system to resolve IP addresses automatically on the event view pages. You can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled."

3. Event preferences (see below) "The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views." The Event View settings page is found under your User Preferences settings.

 

Configuring DNS Cache Properties

DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.

Procedure

Step 1

Choose System > Configuration.
Step 2

Choose DNS Cache.
Step 3

From the DNS Resolution Caching drop-down list, choose one of the following:

  • Enabled—Enable caching.
  • Disabled—Disable caching.
Step 4

In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached

in memory before it is removed for inactivity.

The default setting is 300 minutes (five hours).
Step 5

Click Save.

Event View Preferences

Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views in the Firepower System. This section is available for all user roles, although it has little to no significance for users who cannot view events.

The following fields appear in the Event Preferences section:

  • The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect all events in an event view.

    For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.

  • The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views.

    Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must use management interfaces configuration to establish a DNS server in the system settings.

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎02-01-2022 06:48 AM

is the FMC configured DNS, is the DNS local able to resolve the resolution ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
barkerr01
Level 1
Level 1
In response to balaji.bandi

‎02-01-2022 07:00 AM

Hi there. As far as I can tell, DNS is configured for the cluster - in Object Management, DNS Server Group, we have our internal DNS servers. We are also using internal hostnames for our SMTP and Remote Storage so that part must be working. It seems to be the reverse lookup on the reporting that is missing. I am sure it was in a strange place on the old Firepower console but I cannot remember where I found the setting to enable it.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to barkerr01

‎02-01-2022 09:00 AM - edited ‎02-01-2022 09:19 AM

@barkerr01 a couple of places need to be set.

1. DNS for the FMC itself. Set it under System > Configuration > Management Interfaces > Shared Settings

2. DNS cache (see below) "You can configure the system to resolve IP addresses automatically on the event view pages. You can also configure basic properties for DNS caching performed by the appliance. Configuring DNS caching allows you to identify IP addresses you previously resolved without performing additional lookups. This can reduce the amount of traffic on your network and speed the display of event pages when IP address resolution is enabled."

3. Event preferences (see below) "The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views." The Event View settings page is found under your User Preferences settings.

 

Configuring DNS Cache Properties

DNS resolution caching is a system-wide setting that allows the caching of previously resolved DNS lookups.

Procedure

Step 1

Choose System > Configuration.
Step 2

Choose DNS Cache.
Step 3

From the DNS Resolution Caching drop-down list, choose one of the following:

  • Enabled—Enable caching.
  • Disabled—Disable caching.
Step 4

In the DNS Cache Timeout (in minutes) field, enter the number of minutes a DNS entry remains cached

in memory before it is removed for inactivity.

The default setting is 300 minutes (five hours).
Step 5

Click Save.

Event View Preferences

Use the Event Preferences section of the Event View Settings page to configure basic characteristics of event views in the Firepower System. This section is available for all user roles, although it has little to no significance for users who cannot view events.

The following fields appear in the Event Preferences section:

  • The Confirm “All” Actions field controls whether the appliance forces you to confirm actions that affect all events in an event view.

    For example, if this setting is enabled and you click Delete All on an event view, you must confirm that you want to delete all the events that meet the current constraints (including events not displayed on the current page) before the appliance will delete them from the database.

  • The Resolve IP Addresses field allows the appliance, whenever possible, to display host names instead of IP addresses in event views.

    Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled this option. Note also that for this setting to take effect, you must use management interfaces configuration to establish a DNS server in the system settings.

Go to solution
barkerr01
Level 1
Level 1
In response to Marvin Rhoads

‎02-01-2022 09:08 AM

That's it! I would never have looked there in a millions years, thank you very much Marvin, much appreciated. I've enabled the Resolve IP Addresses (where possible) and now I see the host names in Event view, which I assume will also show in the scheduled reports I run. Amazing, thanks again!

0 Helpful

Go to solution
Net-Runner
Level 1
Level 1
In response to Marvin Rhoads

‎09-18-2023 03:43 PM

Marvin,

Thank you for the awesome KB article. It was accurate, concise and easy to follow. 10 out of 10!

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card