I have FMC (Currently running software version: 18.104.22.168) with two firewalls added on it.
I have deployed policy on each device (also running v6.2.3) and I opted out for Balanced Connectivity and Security which results in:
This policy has 9463 enabled rules Manage Rules
97 rules generate events View
9366 rules drop and generate events
ASA wise I just attached the config.
Now I have installed a VM running Kali Linux (10.26.10.144) solution then ran some "attacks".
My issue is that no event was recorded and I received no email alert. Also the syslog server had received no related events/notifications.
Can someone help me tshoot this please?
How is your Access Control policy configured on the Firepower itself? Does this traffic hit a rule that has the intrusion Policy enabled? Post a screenshot of your policy if you can.
Thanks for the reply. I have attached couple config screenshots.
If possible I have couple questions:
- what the use of Mandatory vs Default Policies in screenshot no2.
- also on the last screenshot it says that alert is being used by 10 policies. How can I find out where those policies are configured to use it? (this is a scenario I inherited so I am trying to catch up)
Back to the threads original issue: I had accidentally stepped over Network Discovery. By default I had selected only applications and no alarm was triggered. After I clicked on host and I have added the /24 that Kali server was part of only then alerts started to pour in.
Is it mandatory network discovery is configured prior to enabling Acces Control policies?
I only see screenshot#5 attached.
To answer your questions:
1) Mostly relevant when you have parent and Child policies. Mandatory rules are looked through first, then any child policies, and finally default policies. I think of Mandatory rules as something all traffic has to check first before child polices, while default are generic policies you want to apply for any traffic that does not match Mandatory or Child Policies.
2) I don't know of any easy way to do this other than looking through the policy section and checking under the "Logging" tab.
Ideally, the Network Discovery rule includes host discovery for all the LAN segments on your network. There may be cases where you can exclude load-balancer's and other high volume devices from this.
According to the Firepower guide, one of the reasons for having Host discovery is:
Alerting you by email, SNMP trap, or syslog when the system generates either an intrusion event with a specific impact flag, or a specific type of discovery event
To answer the initial question of why intrusion policy is not generating any alerts, the easy test/verification is as below:
++ Edit the intrusion policy that is associated with the access control rule.
++ Select the DNS blacklist signature from intrusion policy and set the action to "drop and generate events".
++ Perform the policy deploy and initiate a DNS request for the domain listed in blacklisted signature.
This should generate an event under Intrusion events.
DNS blacklist worked fine. Here some details of how to do it:
Go to the IPS profile and search for signature ID 28039 ; select it and the pick Drop and Generate Events.
Make sure the ACL on the ASDM matches source your test machine, destination 22.214.171.124
Lastly perform a DNS query to 126.96.36.199 for this know “bad entry”: jamloop.zrbcn.pw
Now I have another query Google Search doensn't help due to the fact Firepower has its own NMAP.
Security asked me why NMAP scans to our networks DOES NOT TRIGGER any IPS Events.