I recommend you open a TAC case.

It is most likely some aspect of your Access Control Policy that is blocking traffic - a default action is often the cuase for such behavior.

Thanks for your kind support.

Regards:

Qamar

Hi Marvin,

I web traffic analysis topology is given below:

Firewall            <->       Web gateway(WCCP)   <->       FTD (inline Transparent mode)              <->                   Core Switch      <->      users

FMC and FTD virtualized.

Boss above is the topology of inline transparent mode deployment. Last night activity i just deployed the FTD virtual in between the web gateway and core switch. It worked fine and blocking and analysis works at all night but today morning at peak time when user connected to their network. After 3 hours the browsing is chocked. then i took back it to their production network.your suggestions required. Is their any limitations about the events connections with licenses or then above scenario any other possible troubleshooting required?

Kindly suggest please.

Hello Marvin,

Greetings!

Need your support. I have a firepower 4120 security appliance and now i tried to configure it and register it with the FMC. Can i operates FTD 4120 appliance in inline transparent mode. if yes! then what are the configuration i choose for the inline transparent mode in Firepower chassis management and which interfaces are used for web traffic and which are used for the emails traffic and how to configure the interfaces for inline transparent mode.

Dear below are the some points thats i configured in 4120:

• I switched on the appliance and set the managemnet ip address through console cable.
• Second in GUI opens the Firepower Chassis Manager, Checked their compatibility version with the FX-OS and FTD. and then go to interfaces and configure the interfaces of the network module -1 of the 4120 appliance. 1 interface for management and others are used for the Data.
• Third assign the data interfaces to the logical device. Go to logical devices and assign the data interfaces to the device.
• Now move FTD to FMC.

Is these above steps are correct for the configuration of inline transparent mode. I defined the interfaces settings on ROUTE to TRANSPARENT mode. Furthermore i will mapping all the data interfaces in FMC after the registration of the Device.

The attached document shows the configuration steps. Note on the step-7 inline transparent mode configuration needed?

The dropdown box for "Firewall Mode" should ahve the option of setting the mode to "Transparent".

Hello Marvin,

Thanks for your reply..

All defined configrations are correct one?

Is it compulsory  to define one management interface in network module one for the inline transparent mode.?

I just little elaborate my question, I am asking about the interfaces of the Firepower Chassis Manager interfaces tab in network module 1. we need to defined one management port in it?

Yes - since you have an FTD logical device it requires a dedicated management port assigned exclusively to it. If it were an ASA logical device, that would be optional.

The FTD management port is in addition to the built-in chassis management interface.

So in total:

a. One built-in chassis management port (MGMT on the GUI). Used only for FirePOWER Chassis management (GUI or cli).

b. One assigned logical device management port (from a network module). Used primarily for communication (device registration, policy deployment and events) between FTD and FMC. Generally a 1 Gbps SFP is plenty for this - no need to use a 10 Gbps SFP+ unless you have lots of spare 10 Gbps ports downstream  and some inexpensive twinax cables.

c. Two (or more) assigned data ports (e.g. inside and outside, also from a network module or modules). Your inspected traffic flows via these ports.

Note that if there are only two data ports, they should definitely be the same speed. Your screen shot shows one at 1 Gbps and the other at 10 Gbps.

Hi Marvin,

Yes- You are right about the data port speed. Kindly correct me, if i am wrong i some steps.

Out of the Box security appliance 4120 appliance has 3 SFP and appliance have one network module-1. I am little confused where i used these three SFP's as deployment scenario i just need 3 pairs of data ports and my deployment mode is INLINE Transparent mode. 1 pair of data ports used for the WEB traffic analysis and the other two pairs used for the Email traffic analysis.

Let me give you the summary of my deployment for better understanding of me.

1. Appliance 4120 with FX-OS version 2.0(1.35)

2. FTD installed in it version 6.0.1.1213

3. FMC virtual version  6.1

1)- I installed the FTD logical device in FCM and configure 1 management port from the Network module-1. the other 7 ports i used for data and their speed is 10 Gbps. While configuration of the FTD, I used FW mode TRANSPARENT and on the second last point where they asked me about the fully qualified host name, It must be enter in the DNS to resolve the host name from ip address? If i doesn't enter in DNS and i entered in <hostname.domain> is it working or not?

2)- I Register the FTD in FMC and then further configuration done. In the FMC Device management tab under interfaces, I separated the interfaces for web and email traffic. 

Example: Below are the configuration that i done separately for each pair of data ports:

Is my configuration are correct for the Inline-Transparent mode?

Below is the topology for traffic coming in and out. for WEB traffic

Firewall            <->       Web gateway(WCCP)   <->       FTD (inline Transparent mode)              <->                   Core Switch      <->      users

For an Email Flows:

Email flow

Firewall            ->         Secure Email Gateway              ->         FTD (inline Transparent mode)               ->                     Core Switch      ->         MS Exchange

As this is very critical project for me. Your kind suggestions needed.

Thanks

The setup you have described looks correct.

Since you have emphasized its criticiality, I would recommend you contact your reseller SE to engage professional services or open a TAC case to vaildate any concerns about its proper operation.

Connection events file attached

For service-impacting production issues you should be opening a TAC case via phone and identifying it as P2 severity. 

It appears you exhausted some limit of the FTD device.

Do you have a network discovery policy setup and have you defined $HOME_NET and $EXTERNAL_NET variables defined? Doing so will make sure you aren't trying to discover the entire Internet and thus exhausting the FirePOWER host license limit.