Apologies if I placed this in the wrong forum - this is more of a FirePOWER general inquiry. I have implemented TAMC on an ASA 5506 and I'm managing FirePOWER services on the ASA itself via ASDM. I have the balanced IPS policy in place, as well as a couple manual URL filtering rules and AMP running. While I can see that the system is doing its job for the most part, I find the reporting to be woefully inadequate. A couple examples:
If I look at the Reporting dashboard - Network Overview, under applications I see the protocols using the most bandwidth. For instance, I see BitTorrent listed and I want more info, so I click on that link and am taken to those details where I can see the list of users and their transaction and data usage (I do have LDAP AD integration and the agent installed on a machine on my network). But the vast majority of transactions fall under the user NotAvailable(0). Some of this I understand, as not everyone on my LAN is a domain member and thus not authenticating with AD credentials. Where I have a problem is that I can't see even rudimentary information concerning this traffic - such as the IP address of the offending hosts. Even when I do see a user associated with certain interesting traffic, I cannot identify the machine on the network that the user might be operating from. This leads me to the next example:
Apparently AMP is blocking some malicious traffic from a PC on my network as it has identified a threat and states that it is outbound traffic ("MALWARE-CNC Win.Trojan.Gh0stRAT variant outbound connection"), but that seems to be as far as the reporting goes. I cannot determine for instance the source or destination hostname or IP address. This is obviously not very helpful information. I can see that there are threats on or to my network, but I'm flying blind as if comes to mitigating them.
So this brings me to my questions. What am I missing? I realize that the logging necessary and thus the memory required to store detailed reports is asking a lot from a 5506, and I assume that is the problem, but what are my options? I am aware of the separate VM-based Defense Center and/or FireSIGHT box and/or FirePOWER Management Center, but I must say the subject is incredibly murky. Even Cisco TAC seems confused with all the different terms, products, and options. I assume I would need to buy a license for it, which is no problem, but my Cisco partner/reseller tells me that Cisco is actually going to in-box management even on the larger ASAs (I asked about the 5515/5516 specifically).
Will DC/FireSIGHT give me the intelligence/visibility I'm seeking, assuming it will not be discontinued shortly? Or is there an in-box tool that I have overlooked?
I really love the concept of FirePOWER on an ASA, and coupled with AMP for Endpoints which I'm trying to learn more about seems to make for a very powerful solution. However, so far the reporting has been so lacking that I don't know if I should continue investing resources and time with the product.
Thanks for your time and any insight you may be able to provide.
Hello All, i have two vm firepower as HA and they are working fine as HA the traffics going through fin but there is a red mark shows on the HA, can someone tell me what does that mean please? This only appears on the HA not in individual device...
This event had place on Thursday 23rd, January at 10hrs PDT
Omar Santos is an active member of the cyber security community, where he leads several industry-wide initiatives and standards bodies. H...
Securing What's Now and What's Next. With our annual global survey of 2,800 security leaders, we dove deep to compile key benchmark statistics. The 2020 CISO Benchmark Report provides valuable takeaways and data on the most pressing cybersecurity to...
I have 2 Firepower module (ASA 5525) with Malware and IPS licence. Recently i changed the Malware policy action set to "Block Malware" and "Reset Connection". How to log the event if my policy blocked any files? Please find the attached screen shot f...
Hi, We have ISE v2.4 installed in production for only 2 month now. we are integrating anyconnect for posturing on all end users machine. I want to get the report or statistics of all the machines on which anyconnect client is installed.