Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1734
Views
5
Helpful
6
Replies
Highlighted
p.juarezponte
Beginner
Beginner
‎10-03-2018 03:03 AM
‎10-03-2018 03:03 AM

Firepower is not dropping packets. How to enable rules to generate events

Hello community

I am trying to generate some events in order to monitor my environment, but I am facing some issues.

I want to drop connections which use "public" or "private" community on snmp gets, but I am being not successfull.

I would appreciate some help.

I am trying to establish a connection to a switch/router using "public" community. I get no answer because that community is not configured, but I'd like to drop that try using firepower resources.

 

I attach my config.

It seems that the connection crosses the FW:

Oct 03 2018 08:53:07: %ASA-6-302015: Built inbound UDP connection 181208 for OUTSIDE:10.3.51.97/54829 (10.3.51.97/54829) to INSIDE:10.1.51.1/161 (10.1.51.1/161)

 

And is being inspected:

ASA-CDS-1# sho conn | in 10.1.51.1
UDP OUTSIDE 10.3.51.97:54829 INSIDE 10.1.51.1:161, idle 0:01:19, bytes 44, flags X
UDP OUTSIDE 10.3.51.97:54828 INSIDE 10.1.51.1:161, idle 0:01:37, bytes 44, flags X

 

I am using community "public" to make the request:

snmp flow.JPG

 

I enabled the rule to generate the event:

Firepower snmp rules.JPG

 

 

I commited the config and deployed to the devices.

My problem is that it seems that this is not generating intrussion events.

Enabling another rules (icmp echo reply) I can see those events.

 

Should I apply anything else?

Is this rule made for this goal?

Labels:
Everyone's tags (4)
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
p.juarezponte
Beginner
Beginner
‎10-11-2018 08:26 AM
‎10-11-2018 08:26 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Hello

I could fix this, I will share my config in order to help someone.

It's important to apply the Intrusion Policy on the access rule, because if traffic matches, it does not apply the default IPS policy.

Oh, and I had to reload the device too!!!!

 

snmp ACL inspection.JPG

snmp ACL logging.JPG

And rememember to enable the rule, (maybe) it is not enabled by default.

Firepower snmp ips rules.JPG

 

Here they are:

Firepower intrusion events received.JPG

View solution in original post

Reply
6 REPLIES 6
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎10-03-2018 04:25 AM
‎10-03-2018 04:25 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Is that IPS rule in your deployed Intrusion policy?

 

If so, does the policy (or rule with that policy associated that's otherwise allowing the traffic) have "log at beginning of connection" selected?

0 Helpful
Reply
Highlighted
p.juarezponte
Beginner
Beginner
‎10-03-2018 08:17 AM
‎10-03-2018 08:17 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Hello Marvin

Thank you for your help.

 

I have applied as "default Action" and inside access rule too.
Firepower rules general.JPG

 

 

This is the config:

Firepower rule snmp inspection.JPG

Firepower rule snmp logging.JPG

 

I enabled snmp traps too, and I can see those events.

Firepower intrusion events.JPG

0 Helpful
Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎10-03-2018 08:26 AM
‎10-03-2018 08:26 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Try "Log at Beginning of Connection".

 

A udp flow will never have a FIN packet and thus won't signal the connection is ended.

 

Also, when you change the rule to block you must log at beginning to generate events since there won't be a FIN no matter what protocol is being used.

0 Helpful
Reply
Highlighted
p.juarezponte
Beginner
Beginner
‎10-04-2018 08:39 AM
‎10-04-2018 08:39 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Hello

I tried to detect those events enabling "Log at beggining..." but it does not detect them.

 

Firepower intrusion events snmp.JPG

 

It shows snmp request or traps, but I am not able to drop a request which uses community "public".

0 Helpful
Reply
Highlighted
p.juarezponte
Beginner
Beginner
‎10-11-2018 08:26 AM
‎10-11-2018 08:26 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Hello

I could fix this, I will share my config in order to help someone.

It's important to apply the Intrusion Policy on the access rule, because if traffic matches, it does not apply the default IPS policy.

Oh, and I had to reload the device too!!!!

 

snmp ACL inspection.JPG

snmp ACL logging.JPG

And rememember to enable the rule, (maybe) it is not enabled by default.

Firepower snmp ips rules.JPG

 

Here they are:

Firepower intrusion events received.JPG

View solution in original post

Reply
Highlighted
Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎10-11-2018 09:46 AM
‎10-11-2018 09:46 AM

Re: Firepower is not dropping packets. How to enable rules to generate events

Thanks for sharing your solution! It helps the community as a whole.

0 Helpful
Reply
Latest Contents
#CiscoChat Live: Talos Live Threat Brief - Pandemic-related ...
Created by Kelli Glass on 07-10-2020 04:50 PM
0
0
0
0
Join us live on Tuesday, July 14 (and on demand after) to learn what impacts COVID-19 has had on the information security landscape from one of the people living that fight.
#CiscoChat Live: Talos Live Threat Brief - Pandemic-related ...
Created by Kelli Glass on 07-10-2020 04:46 PM
0
0
0
0
Join us live on Tuesday, July 14 (and on demand after) to learn what impacts COVID-19 has had on the information security landscape from one of the people living that fight. We'll take your questions live during the show and after, so post them belo... view more
TETRA Error Codes - Windows
Created by dkrull on 07-10-2020 07:10 AM
0
0
0
0
TETRA Error Codes - Windows Here are some common TETRA Error codes that you may find displayed in the dashboard as well as within the C:\Program Files\Cisco\AMP\<your_version>\sfc.exe.log or corresponding sfc.exe_<date>_<time>.logs. The... view more
AnyConnect 4.9 requires more stringent cryptography settings...
Created by Peter Davis on 07-08-2020 12:18 PM
0
15
0
15
Please note that the minimum cryptography settings in AnyConnect 4.9 have been increased. Please ensure that your head-end is properly configured for the more stringent cryptography settings (if applicable) or users will be unable to connect after updatin... view more
Companion Guide for TETRA Update Server Deployment
Created by dkrull on 07-08-2020 07:25 AM
0
0
0
0
  Overview In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. This guide is meant as a companion to the existing guides and to help fill in some in... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad