Hi Marvin,

Thanks to your suggestion and it works.

I can ping our Syslog server and it shows that the route to the Syslog server is OK. 

I have a follow up question then if you can help is as below:

In the Appliance itself, any way without the FMC I can set the Syslog server either by SSH or GUI (https login)?

thanks and regards,

Tangsuan Tan

No. The 3-series appliances are designed to work with a managing Firepower Management Center (FMC).

FMC is where you set the syslog server, create rules, manage the system etc.

Hi Marvin,

Thanks to your reply on the Appliance Syslog setup.

You mentioned 3-series Appliance are designed to work with a managing Firepower Management Center (FMC).

However, my Appliance is FirePOWER "7120", isn't it a "7" series can do the Syslog setup on the Appliance itself? Please clarify. Thanks!

regards,

tangsuan

Series 3 (or "3 series") is the third series of Sourcefire physical appliances (rebranded as Cisco following the 2013 acquisition). All 7000 Series and 8000 Series devices are Series 3 appliances.

Reference table 3 here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html#reference_9C7ED89DF14645BDA166E80F7BDA5FB7

Hi Marvin,

Many thanks to all your helps.

Now I have one more question is if SSH to FMC, how can I check the Syslog configuration is already configured and how can I know the status on the Syslog got sending the log to Syslog server?

This is because I have successfully set the Syslog and it is 'In Used' but we check the traffic through firewall, there is no traffic from this FMC to the Syslog server. That's why I want to ensure the configuration is there and the status of sending log is working.

Appreciat your reply and hope to hear from you soon.

Many thanks!

regards,

tangsuan

From a cli session you could switch user to root (sudo su -) and run tcpdump filtering on udp/514 (syslog) packets.

Hi Marvin,

Thanks to your reply.

I tried to SSH to the FMC by using the username and password to access the HTTPS but it is not successful. May I know how to reset the SSH access to the FMC or create new SSH account for the SSH by after HTTPS access?

thanks and regards,

tangsuan

The GUI user account and cli user account are separate objects even if they have the same username (e.g., "admin").

If you lose the admin cli credential then you need to use the password recovery method described here:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118631-technote-firesight-00.html#anc8

Hi Marvin,

Thanks a lot on all your replies.

Appreciate your helps.

regards,

tangsuan

Hello!

Could you please tell us why we can not ping from User EXEC mode or from GUI Threat Defence CLI in Advanced Troubleshooting, however we can ping everything from Expert mode?

@marat.ishmakov your screen shots shows successful pings from the GUI and cli. Where exactly are you asking about being unable to ping from?

There's no successful ping from GUI, there is ????? Instead !!!!! And from User Exec mode, the same picture. Only from expert mode pings are successful.

When you run ping from the GUI, it is pinging using the data interface indicated as the best interface per the device routing table. Same thing if you just type "ping <address>" from the cli shell or clish (which I believe you are referring to as user exec mode).

You can "ping system <address>" from clish to get results similar to what you get in expert mode. Expert mode is the Linux operating system on which FTD is running and it uses the management interface and routing as was setup when you bootstrapped the device (or later modified it with "configure network ...").