cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3483
Views
0
Helpful
12
Replies

FirePOWER Reporting - Shows No Data

Fantas
Level 1
Level 1

Hi,

 

I am creating reports on FMC but cant see any data showing when reports generated.

 

Am I missing anything, All the access rules have logging enabled.

12 Replies 12

Francesco Molino
VIP Alumni
VIP Alumni
Hi

Can you give us more details on which report are you trying to generate?
Are you sure to see these datas on your FMC across the different event logs?
Which version of FMC are you running?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks,

 

I have 6.4.7 version on FMC.

 

I tried to accessed bbc.com but when generate report I cant see any Data in report. I want below to be added in my report.

 

1 - Intrusion Events

2 - Malware Events

3 - Users accessing Internet ( user names and URL details accessed by users)

etc

If you go to analysis, connections event, do you see the log?
You won't see it in malware or threat if nothing bad happened.
By going into connection events, and drill down from there on the specific log, we will see if you have the user name information.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi,

 

Yes I can see many users activity under Connection events, I also can see unknown user but dont know why.

 

But when I generate Report , I cant see users data reflected in report like what applications or URLs accessed by those users.

What is your identity source?

If it is only passive identity and not integrated with ISE or User Agent then Firepower will have very limited insight into User-IP address mapping.

Hi,

 

we have ISE PIC in the middle for IP to User mapping.

 

Plus I see lot of unknown users in connections table.

 

I can see everything in report but No information of users accessing external public URLs like bbc.com, facebook.com etc

 

Have you setup a network discovery policy? Defined your $HOME_NET and $EXTERNAL_NET variables?

To see URL destinations in the events you should have at least one ACP to monitor URLs.

Thanks Marvin,

 

Yes I have URL filtering policies on FMC with block and deny actions. Block is for dodgy sites like gambling etc and allow is for company URL and Plus social media access to linkedin etc.

 

I can access all of these sites and can see in event connections but Its not reflecting in reports,

Reports just shows no data for URL category

Have you raised a TAC case? Unfortunately, i don't have a 6.4 version to test.
Was it working before or is it the first time you're trying?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks ,

 

Actually I can see all other data except users visiting URLs.

 

We wana see users access what external sites , for example If I access linkedin.com , this should be reflected in Report.

 

Plus Intrusion events in report

FMC reporting is not as granular as some other products (e.g. WSA or Umbrella) for reporting user activity. You can get some data however by customizing a report as described here:

https://community.cisco.com/t5/network-security/firepower-top-visited-website-report/m-p/3308446#M338

Thanks Marvin,

 

This link was helpful to get some data.

But still it doesnt shows client user or ip address accessing URLs.

 

As you mentioned that Its not possible to get client username or IP address accessing specific URLs.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: