Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14335
Views
36
Helpful
10
Replies

Firesight Management is not showing any events on dashboards

vradhakrishnan1
Level 1
Level 1

‎05-06-2015 04:34 AM - edited ‎03-12-2019 05:40 AM

Dear ASA 5525-x geeks out there,

 

I've a very simple set up for my ASA5525-x where my ASA5525x is in between my laptop and internet to test out some features and one additional laptop running firesight management and connected to Mangagement port

I've configured everything as per the documentation and I can see that my SFR module has been added to my FireSight Management center successfully (with NTP error which can be ignored for now)

I can also see that when I create an access rule in my firesight management, it has an effect on my ASA and which means that firewall and ASA has connectivity by some means (So its working :) )

But however, I am not able to see any information on dashboard. it simply says NO DATA everywhere (even connection summary (basic dashboard) is saying no data).

 

Additional information : When i created a rule (i enabled logging and send data firesight management center) but still no luck :(

 

Any idea where to start my troubleshooting?

 

 

4 people had this problem
Labels:
0 Helpful
10 Replies 10

Kanes Ramasamy
Level 1
Level 1

‎07-13-2015 06:33 PM

Hi Radhakrishnan,

 

Have you managed to find a fix for the issue? Could you kindly share?

I am having the same problem and I am not sure where to start looking. 

 

Kanes.R

0 Helpful

Panos Bouras
Level 1
Level 1
In response to Kanes Ramasamy

‎07-16-2015 02:58 AM

We have the same issue with 2 completely different installations, we managed to pinpoint the issue to the security intelligence rules. If you disable from the blacklist all but global blacklist and reapply the policies data comes up again but we loose any info during the "blackout".

Can you test and see if you get the same results also?

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

msrfares84
Level 1
Level 1
In response to Panos Bouras

‎10-26-2015 12:50 AM

I have the issue with ASA5545-X with SFR ver 5.3. is the issue resolved??

0 Helpful

Michael Pinnella
Level 1
Level 1

‎08-17-2015 12:10 PM

Not sure if this is what you are looking for, but have you set the created the ACL and class to redirect the traffic to Firesight?

For example:

conf t

access-list ACL_fs permit any any

class-map SFR

match access-list ACL_fs

Policy-map global_policy

class SFR

sfr fail-open (this permits traffic if SFR fails, use fail-close to block. You can also type monitor-only if you just want to send data to Sourcefire and not have it apply policy. I have it set like this until I get it all configured since it is on a production system)

I am no expert at this, but I think this is everything.

 

 

0 Helpful

Panos Bouras
Level 1
Level 1
In response to Michael Pinnella

‎09-01-2015 06:50 AM

Michael,

can you inform me if your installation is working properly after you remove the "monitor only" command?

My issues started when I wend in production.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

Michael Pinnella
Level 1
Level 1
In response to Panos Bouras

‎09-01-2015 06:58 AM

Panos,

I have not put it into production yet. We have an another vendor's appliance as our primary filter and APT management system, so I am waiting to use the full implementation of the Firesight system until things slow down here.

Michael

0 Helpful

Aastha Bhardwaj
Cisco Employee
Cisco Employee

‎10-26-2015 09:42 AM

Hi,

 

Do you have a Firesight license ?

 

Check link : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html

Also can you enable logging on your access-control policy and see if you have traffic hitting the SFR.

Create a network discover policy and see if you see the OS on the dashboards?

 

Regards,

Aastha Bhardwaj

Rate if that helps!!!

 

ciscobacon
Level 1
Level 1

‎11-10-2015 03:04 PM

Hey everyone, 

   I was searching for a quick start guide to FireSIGHT dashboards and found this post that I think I might be able to help with.  I had this exact "issue" when I first set up our appliances with the Defense Center and it took me a while to figure out.  It ended up being a setting on the Access Control policy and IPS policies - you have to make sure the unit is feeding data into itself via the Logging settings.  One way to do this is in your configured/applied Access Control policy - to the right of each of your rules, there should be a scroll icon wherein you can select the Logging tab and choose "Log at the end of connection" and "Send Connection Events to ... Defense Center".  This might have to be done elsewhere also, but I believe this started to show data in my graphs almost instantly.  Hope this helps.

-Bacon

liaojunhua
Level 1
Level 1

‎03-10-2016 10:21 AM

I am using FireSight v6.0.0. To fix this problem, I have add a device Platform-Setting policy which will include https and ssh traffic. Once added the platform-setting policy and then deployed to the managed-device, now I can see data in the Analysis  > Connections > Event.

Hope that can help.

0 Helpful

Manuel Aristy
Level 1
Level 1

‎08-27-2016 10:09 PM

Hi,

I had the same issue. I created an access rule within : Policy --> Access Control Policy --> editing the default policy named " Access Control Policy" --> add an access rule maching the traffic I want to see in dashboard; can be Mandatory or default, I created a default. In the Logging tab Enabled "Log at Beginning and the End of Connection". Click OK, and Save.

But that was not enough, later I had to forced a deployment to the device: 

Step 1   Choose Devices > Device Management
Step 2   Click the edit icon () next to the device where you want to force deployment.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.
Step 3   Click the Device tab.
Step 4   Click the edit icon () next to the General section heading.
Step 5   Click the Force Deploy arrow ().
Step 6   Optionally, expand the device listing to view the configuration settings to be deployed.

The system marks out-of-date policies with an index () icon.
Step 7   Click Deploy.
Step 8   If the system identifies errors or warnings in the configuration settings to be deployed, you have the following choices:
  • Click Proceed to continue deploying without resolving error or warning conditions. This button is enabled if the system identifies only warnings for the deployment; it is disabled if the system identifies an error in the deployment.
  • Click Cancel to exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Policy_Management.html

NOTE: You must have already redirected the traffic to the FirePOWER Services Module on an ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html


I hope to be helpful.

Regards,
Manuel Aristy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card