01-24-2016 09:52 AM - edited 03-12-2019 05:52 AM
Hi,
There is an active/Standby Firewall with Sourcefire. Firewall is working well with Failover. But there is no report showing in the FireSIGHT/Defense Center as well as no rule is executed.
Although
1.All license (Protect,Control,FIRESIGHT,AMP,URL) are installed to the sourcefire
2.Rules are created properly.
3.Logging is enabled.
4.Packets are being sent to Sourcefire.
01-25-2016 07:40 AM
Hi,
When you say report what exactly do you mean ? Try looking for Analysis >connection events , if you see the traffic from the active firewall ? Also check the access-list that you have pushed to the active FW does that have logging enabled on the rules ?
Regards,
Aastha Bhardwaj
Rate if that helps!!!
01-26-2016 08:59 PM
Thanks Aastha Bhardwaj,
There are two attached files. I think it will help you. Reporting means there is nothing in Analysis >connection events which is shown in the events_blank.png file.
Here is the Active Firewall Configuration
access-list ACL_ANY extended permit ip any any
!
class-map SFR
match access-list ACL_ANY
!
policy-map global_policy
class SFR
sfr fail-open
!
01-26-2016 10:05 PM
Hi,
On the right hand top corner the time window that is there , can you change the time to say 1 day or 1 week and see if you see the connection events , currently it is set to 1 hr.
Regards,
Aastha Bhardwaj
Rate if that helps!!!
01-28-2016 06:45 PM
Thanks Aastha Bhardwaj,
After restating the Esxi, its OK now.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide