09-10-2018 01:36 AM - edited 02-21-2020 08:13 AM
Hey I was recently put in charge of our Firewall which I have very little knowledge of. We're using FMC and I need to setup logging (detect portscans/bad applications/system login attempts(ssh/web)) etc, I've been trying to google but I cant find anything useful.
I've enabled logging on platform settings, and on our access-policies but I cant see anything useful on our syslog server.
There are other stuff I need to configure as well for example AMP/IDS/IPS. Any useful material for this? Is there a paid course or webinar to learn FMC?
I'm bit lost and I would love to learn.
09-10-2018 02:21 AM
The configuration guides are all under the product support page for FMC:
Those can be a bit overwhelming. For more a a primer, I'd recommend looking at the free Cisco Live presentations. There are also some great videos (also free for streaming) at labminutes.com.
Generally speaking you will get better context for any events from FMC itself rather than an external syslog server (unless it's part of a SIEM that's also doing correlation). If the ACP rules are set to log you should see connection events (Allow, Block, etc.), intrusion events etc. in FMC.
09-10-2018 04:59 AM
I will definitely look at videos, I've configured our ACL to log syslog and event viewer. In the event viewer I can see the connections with block/allow action. Is it possible to log who connects to the VPN for example? I have enabled logging on those too but I only see "connections" not users etc.
09-10-2018 10:45 AM
I'm not positive about the syslog entries for VPN logins, but there is a Dashboard you can use for VPN users. See Dashboard > Access Controlled User Statistics, VPN tab.
You can also create reports of the data that's displayed using the Report Designer button on the top right of that dashboard.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide