Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1489
Views
0
Helpful
0
Replies

DNS Security Intelligence not ok on FTD 6.2.3 sensor

Joeri4242
Level 1
Level 1

‎08-14-2019 05:40 AM - edited ‎02-21-2020 09:24 AM

Hi all,
We currently have no firewalls (yet) between workstations and internal DNS servers, and we see sometimes see some sinkholed traffic hitting our Internet firewal (ASA + firepower 6.2.3).

To avoid having to search through the DNS logs each time, I decided to use a spare ASA 5516 as sensor (FTD 6.2.3). I created a passive interface and on the switch I span all traffic of the DNS servers to it.

In the FMC connections events I can see the DNS traffic picked up by this sensor, however, it doesn't seem to looking inside the DNS requests. When I try to resolve a malware domain, our Firepower Internet firewall is correctly sinkholing the DNS request, the FTD sensor however doesn't generate any security intelligence events, while it sees the same traffic (I can find the traffic in the FTD connection events).

I copied the DNS policy for the FTD sensor from our Internet Firepower FW (just changed sinkhole to monitor).

I've attached some policy screenshots below.

Does anybody have an idea why my FTD sensor isn't generating DNS security intelligence events?

 

Best regards,

Joeri

 

 

SENSOR01.jpgSENSOR02.jpgSENSOR03.jpgSENSOR04.jpg

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card