05-06-2015 04:34 AM - edited 03-12-2019 05:40 AM
Dear ASA 5525-x geeks out there,
I've a very simple set up for my ASA5525-x where my ASA5525x is in between my laptop and internet to test out some features and one additional laptop running firesight management and connected to Mangagement port
I've configured everything as per the documentation and I can see that my SFR module has been added to my FireSight Management center successfully (with NTP error which can be ignored for now)
I can also see that when I create an access rule in my firesight management, it has an effect on my ASA and which means that firewall and ASA has connectivity by some means (So its working :) )
But however, I am not able to see any information on dashboard. it simply says NO DATA everywhere (even connection summary (basic dashboard) is saying no data).
Additional information : When i created a rule (i enabled logging and send data firesight management center) but still no luck :(
Any idea where to start my troubleshooting?
07-13-2015 06:33 PM
Hi Radhakrishnan,
Have you managed to find a fix for the issue? Could you kindly share?
I am having the same problem and I am not sure where to start looking.
Kanes.R
07-16-2015 02:58 AM
We have the same issue with 2 completely different installations, we managed to pinpoint the issue to the security intelligence rules. If you disable from the blacklist all but global blacklist and reapply the policies data comes up again but we loose any info during the "blackout".
Can you test and see if you get the same results also?
10-26-2015 12:50 AM
I have the issue with ASA5545-X with SFR ver 5.3. is the issue resolved??
08-17-2015 12:10 PM
Not sure if this is what you are looking for, but have you set the created the ACL and class to redirect the traffic to Firesight?
For example:
conf t
access-list ACL_fs permit any any
class-map SFR
match access-list ACL_fs
Policy-map global_policy
class SFR
sfr fail-open (this permits traffic if SFR fails, use fail-close to block. You can also type monitor-only if you just want to send data to Sourcefire and not have it apply policy. I have it set like this until I get it all configured since it is on a production system)
I am no expert at this, but I think this is everything.
09-01-2015 06:50 AM
Michael,
can you inform me if your installation is working properly after you remove the "monitor only" command?
My issues started when I wend in production.
09-01-2015 06:58 AM
Panos,
I have not put it into production yet. We have an another vendor's appliance as our primary filter and APT management system, so I am waiting to use the full implementation of the Firesight system until things slow down here.
Michael
10-26-2015 09:42 AM
Hi,
Do you have a Firesight license ?
Check link : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html
Also can you enable logging on your access-control policy and see if you have traffic hitting the SFR.
Create a network discover policy and see if you see the OS on the dashboards?
Regards,
Aastha Bhardwaj
Rate if that helps!!!
11-10-2015 03:04 PM
Hey everyone,
I was searching for a quick start guide to FireSIGHT dashboards and found this post that I think I might be able to help with. I had this exact "issue" when I first set up our appliances with the Defense Center and it took me a while to figure out. It ended up being a setting on the Access Control policy and IPS policies - you have to make sure the unit is feeding data into itself via the Logging settings. One way to do this is in your configured/applied Access Control policy - to the right of each of your rules, there should be a scroll icon wherein you can select the Logging tab and choose "Log at the end of connection" and "Send Connection Events to ... Defense Center". This might have to be done elsewhere also, but I believe this started to show data in my graphs almost instantly. Hope this helps.
-Bacon
03-10-2016 10:21 AM
I am using FireSight v6.0.0. To fix this problem, I have add a device Platform-Setting policy which will include https and ssh traffic. Once added the platform-setting policy and then deployed to the managed-device, now I can see data in the Analysis > Connections > Event.
Hope that can help.
08-27-2016 10:09 PM
Hi,
I had the same issue. I created an access rule within : Policy --> Access Control Policy --> editing the default policy named " Access Control Policy" --> add an access rule maching the traffic I want to see in dashboard; can be Mandatory or default, I created a default. In the Logging tab Enabled "Log at Beginning and the End of Connection". Click OK, and Save.
But that was not enough, later I had to forced a deployment to the device:
http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Policy_Management.html
NOTE: You must have already redirected the traffic to the FirePOWER Services Module on an ASA.
http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html
I hope to be helpful.
Regards,
Manuel Aristy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide