Showing results for 
Search instead for 
Did you mean: 


Firesight Management is not showing any events on dashboards

Dear ASA 5525-x geeks out there,


I've a very simple set up for my ASA5525-x where my ASA5525x is in between my laptop and internet to test out some features and one additional laptop running firesight management and connected to Mangagement port

I've configured everything as per the documentation and I can see that my SFR module has been added to my FireSight Management center successfully (with NTP error which can be ignored for now)

I can also see that when I create an access rule in my firesight management, it has an effect on my ASA and which means that firewall and ASA has connectivity by some means (So its working :) )

But however, I am not able to see any information on dashboard. it simply says NO DATA everywhere (even connection summary (basic dashboard) is saying no data).


Additional information : When i created a rule (i enabled logging and send data firesight management center) but still no luck :(


Any idea where to start my troubleshooting?



Kanes Ramasamy

Hi Radhakrishnan,


Have you managed to find a fix for the issue? Could you kindly share?

I am having the same problem and I am not sure where to start looking. 



We have the same issue with 2 completely different installations, we managed to pinpoint the issue to the security intelligence rules. If you disable from the blacklist all but global blacklist and reapply the policies data comes up again but we loose any info during the "blackout".

Can you test and see if you get the same results also?

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies

I have the issue with ASA5545-X with SFR ver 5.3. is the issue resolved??

Michael Pinnella

Not sure if this is what you are looking for, but have you set the created the ACL and class to redirect the traffic to Firesight?

For example:

conf t

access-list ACL_fs permit any any

class-map SFR

match access-list ACL_fs

Policy-map global_policy

class SFR

sfr fail-open (this permits traffic if SFR fails, use fail-close to block. You can also type monitor-only if you just want to send data to Sourcefire and not have it apply policy. I have it set like this until I get it all configured since it is on a production system)

I am no expert at this, but I think this is everything.




can you inform me if your installation is working properly after you remove the "monitor only" command?

My issues started when I wend in production.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies


I have not put it into production yet. We have an another vendor's appliance as our primary filter and APT management system, so I am waiting to use the full implementation of the Firesight system until things slow down here.


Aastha Bhardwaj
Cisco Employee



Do you have a Firesight license ?


Check link :

Also can you enable logging on your access-control policy and see if you have traffic hitting the SFR.

Create a network discover policy and see if you see the OS on the dashboards?



Aastha Bhardwaj

Rate if that helps!!!



Hey everyone, 

   I was searching for a quick start guide to FireSIGHT dashboards and found this post that I think I might be able to help with.  I had this exact "issue" when I first set up our appliances with the Defense Center and it took me a while to figure out.  It ended up being a setting on the Access Control policy and IPS policies - you have to make sure the unit is feeding data into itself via the Logging settings.  One way to do this is in your configured/applied Access Control policy - to the right of each of your rules, there should be a scroll icon wherein you can select the Logging tab and choose "Log at the end of connection" and "Send Connection Events to ... Defense Center".  This might have to be done elsewhere also, but I believe this started to show data in my graphs almost instantly.  Hope this helps.



I am using FireSight v6.0.0. To fix this problem, I have add a device Platform-Setting policy which will include https and ssh traffic. Once added the platform-setting policy and then deployed to the managed-device, now I can see data in the Analysis  > Connections > Event.

Hope that can help.

Manuel Aristy


I had the same issue. I created an access rule within : Policy --> Access Control Policy --> editing the default policy named " Access Control Policy" --> add an access rule maching the traffic I want to see in dashboard; can be Mandatory or default, I created a default. In the Logging tab Enabled "Log at Beginning and the End of Connection". Click OK, and Save.

But that was not enough, later I had to forced a deployment to the device: 

Step 1   Choose Devices > Device Management
Step 2   Click the edit icon () next to the device where you want to force deployment.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3   Click the Device tab.
Step 4   Click the edit icon () next to the General section heading.
Step 5   Click the Force Deploy arrow ().
Step 6   Optionally, expand the device listing to view the configuration settings to be deployed.

The system marks out-of-date policies with an index () icon.

Step 7   Click Deploy.
Step 8   If the system identifies errors or warnings in the configuration settings to be deployed, you have the following choices:
  • Click Proceed to continue deploying without resolving error or warning conditions. This button is enabled if the system identifies only warnings for the deployment; it is disabled if the system identifies an error in the deployment.
  • Click Cancel to exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

NOTE: You must have already redirected the traffic to the FirePOWER Services Module on an ASA.

I hope to be helpful.

Manuel Aristy

Content for Community-Ad