cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

13038
Views
36
Helpful
10
Replies
Highlighted

Firesight Management is not showing any events on dashboards

Dear ASA 5525-x geeks out there,

 

I've a very simple set up for my ASA5525-x where my ASA5525x is in between my laptop and internet to test out some features and one additional laptop running firesight management and connected to Mangagement port

I've configured everything as per the documentation and I can see that my SFR module has been added to my FireSight Management center successfully (with NTP error which can be ignored for now)

I can also see that when I create an access rule in my firesight management, it has an effect on my ASA and which means that firewall and ASA has connectivity by some means (So its working :) )

But however, I am not able to see any information on dashboard. it simply says NO DATA everywhere (even connection summary (basic dashboard) is saying no data).

 

Additional information : When i created a rule (i enabled logging and send data firesight management center) but still no luck :(

 

Any idea where to start my troubleshooting?

 

 

Everyone's tags (3)
10 REPLIES 10
Highlighted
Beginner

Hi Radhakrishnan, Have you

Hi Radhakrishnan,

 

Have you managed to find a fix for the issue? Could you kindly share?

I am having the same problem and I am not sure where to start looking. 

 

Kanes.R

Highlighted
Beginner

We have the same issue with 2

We have the same issue with 2 completely different installations, we managed to pinpoint the issue to the security intelligence rules. If you disable from the blacklist all but global blacklist and reapply the policies data comes up again but we loose any info during the "blackout".

Can you test and see if you get the same results also?

Highlighted
Beginner

I have the issue with ASA5545

I have the issue with ASA5545-X with SFR ver 5.3. is the issue resolved??

Highlighted

Not sure if this is what you

Not sure if this is what you are looking for, but have you set the created the ACL and class to redirect the traffic to Firesight?

For example:

conf t

access-list ACL_fs permit any any

class-map SFR

match access-list ACL_fs

Policy-map global_policy

class SFR

sfr fail-open (this permits traffic if SFR fails, use fail-close to block. You can also type monitor-only if you just want to send data to Sourcefire and not have it apply policy. I have it set like this until I get it all configured since it is on a production system)

I am no expert at this, but I think this is everything.

 

 

Highlighted
Beginner

Michael,can you inform me if

Michael,

can you inform me if your installation is working properly after you remove the "monitor only" command?

My issues started when I wend in production.

Highlighted

Panos,I have not put it into

Panos,

I have not put it into production yet. We have an another vendor's appliance as our primary filter and APT management system, so I am waiting to use the full implementation of the Firesight system until things slow down here.

Michael

Highlighted
Cisco Employee

Hi, Do you have a Firesight

Hi,

 

Do you have a Firesight license ?

 

Check link : http://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118396-technote-firesight-00.html

Also can you enable logging on your access-control policy and see if you have traffic hitting the SFR.

Create a network discover policy and see if you see the OS on the dashboards?

 

Regards,

Aastha Bhardwaj

Rate if that helps!!!

 

Highlighted
Beginner

Hey everyone, 

Hey everyone, 

   I was searching for a quick start guide to FireSIGHT dashboards and found this post that I think I might be able to help with.  I had this exact "issue" when I first set up our appliances with the Defense Center and it took me a while to figure out.  It ended up being a setting on the Access Control policy and IPS policies - you have to make sure the unit is feeding data into itself via the Logging settings.  One way to do this is in your configured/applied Access Control policy - to the right of each of your rules, there should be a scroll icon wherein you can select the Logging tab and choose "Log at the end of connection" and "Send Connection Events to ... Defense Center".  This might have to be done elsewhere also, but I believe this started to show data in my graphs almost instantly.  Hope this helps.

-Bacon

Highlighted
Beginner

I am using FireSight v6.0.0.

I am using FireSight v6.0.0. To fix this problem, I have add a device Platform-Setting policy which will include https and ssh traffic. Once added the platform-setting policy and then deployed to the managed-device, now I can see data in the Analysis  > Connections > Event.

Hope that can help.

Highlighted
Beginner

Hi,

Hi,

I had the same issue. I created an access rule within : Policy --> Access Control Policy --> editing the default policy named " Access Control Policy" --> add an access rule maching the traffic I want to see in dashboard; can be Mandatory or default, I created a default. In the Logging tab Enabled "Log at Beginning and the End of Connection". Click OK, and Save.

But that was not enough, later I had to forced a deployment to the device: 

Step 1   Choose Devices > Device Management
Step 2   Click the edit icon () next to the device where you want to force deployment.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3   Click the Device tab.
Step 4   Click the edit icon () next to the General section heading.
Step 5   Click the Force Deploy arrow ().
Step 6   Optionally, expand the device listing to view the configuration settings to be deployed.

The system marks out-of-date policies with an index () icon.

Step 7   Click Deploy.
Step 8   If the system identifies errors or warnings in the configuration settings to be deployed, you have the following choices:
  • Click Proceed to continue deploying without resolving error or warning conditions. This button is enabled if the system identifies only warnings for the deployment; it is disabled if the system identifies an error in the deployment.
  • Click Cancel to exit without deploying. Resolve the error and warning conditions, and attempt to deploy the configuration again.

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Policy_Management.html

NOTE: You must have already redirected the traffic to the FirePOWER Services Module on an ASA.

http://www.cisco.com/c/en/us/support/docs/security/asa-firepower-services/118644-configure-firepower-00.html


I hope to be helpful.

Regards,
Manuel Aristy