Dear ASA 5525-x geeks out there,
I've a very simple set up for my ASA5525-x where my ASA5525x is in between my laptop and internet to test out some features and one additional laptop running firesight management and connected to Mangagement port
I've configured everything as per the documentation and I can see that my SFR module has been added to my FireSight Management center successfully (with NTP error which can be ignored for now)
I can also see that when I create an access rule in my firesight management, it has an effect on my ASA and which means that firewall and ASA has connectivity by some means (So its working :) )
But however, I am not able to see any information on dashboard. it simply says NO DATA everywhere (even connection summary (basic dashboard) is saying no data).
Additional information : When i created a rule (i enabled logging and send data firesight management center) but still no luck :(
Any idea where to start my troubleshooting?
Have you managed to find a fix for the issue? Could you kindly share?
I am having the same problem and I am not sure where to start looking.
We have the same issue with 2 completely different installations, we managed to pinpoint the issue to the security intelligence rules. If you disable from the blacklist all but global blacklist and reapply the policies data comes up again but we loose any info during the "blackout".
Can you test and see if you get the same results also?
Not sure if this is what you are looking for, but have you set the created the ACL and class to redirect the traffic to Firesight?
access-list ACL_fs permit any any
match access-list ACL_fs
sfr fail-open (this permits traffic if SFR fails, use fail-close to block. You can also type monitor-only if you just want to send data to Sourcefire and not have it apply policy. I have it set like this until I get it all configured since it is on a production system)
I am no expert at this, but I think this is everything.
can you inform me if your installation is working properly after you remove the "monitor only" command?
My issues started when I wend in production.
I have not put it into production yet. We have an another vendor's appliance as our primary filter and APT management system, so I am waiting to use the full implementation of the Firesight system until things slow down here.
Do you have a Firesight license ?
Check link : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html
Also can you enable logging on your access-control policy and see if you have traffic hitting the SFR.
Create a network discover policy and see if you see the OS on the dashboards?
Rate if that helps!!!
I was searching for a quick start guide to FireSIGHT dashboards and found this post that I think I might be able to help with. I had this exact "issue" when I first set up our appliances with the Defense Center and it took me a while to figure out. It ended up being a setting on the Access Control policy and IPS policies - you have to make sure the unit is feeding data into itself via the Logging settings. One way to do this is in your configured/applied Access Control policy - to the right of each of your rules, there should be a scroll icon wherein you can select the Logging tab and choose "Log at the end of connection" and "Send Connection Events to ... Defense Center". This might have to be done elsewhere also, but I believe this started to show data in my graphs almost instantly. Hope this helps.
I am using FireSight v6.0.0. To fix this problem, I have add a device Platform-Setting policy which will include https and ssh traffic. Once added the platform-setting policy and then deployed to the managed-device, now I can see data in the Analysis > Connections > Event.
Hope that can help.
I had the same issue. I created an access rule within : Policy --> Access Control Policy --> editing the default policy named " Access Control Policy" --> add an access rule maching the traffic I want to see in dashboard; can be Mandatory or default, I created a default. In the Logging tab Enabled "Log at Beginning and the End of Connection". Click OK, and Save.
But that was not enough, later I had to forced a deployment to the device:
|Step 1||Choose Devices > Device Management|
|Step 2||Click the edit icon () next to the device where you want to force deployment.
In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
|Step 3||Click the Device tab.|
|Step 4||Click the edit icon () next to the General section heading.|
|Step 5||Click the Force Deploy arrow ().|
|Step 6||Optionally, expand the device listing to view the configuration settings to be deployed.|
|Step 7||Click Deploy.|
|Step 8||If the system identifies errors or warnings in the configuration settings to be deployed, you have the following choices:
NOTE: You must have already redirected the traffic to the FirePOWER Services Module on an ASA.
I hope to be helpful.