We recently had a major issue where the FMC deleted a rule apparently by itself !
FMC1600 physical device running 6.6.1
Senario, I deleted some out of date office IP's & associated rules. Applied policy to FTD's & a major incident became evident. After some diagnosis it transpired that our primary customer web access rules was missing !
Looking at the policy diff compare, shows all the actions I took, then at the bottom (last item) it shows the web access rules as deleted from old policy & added in new saved policy. But when looking at the live installed policy the rule was missing !?
I recreated the rule manually (no roll back function in FMC) which restored the service. Cisco TAC agree the diff compare is odd, but can not provide an explanation for why a rule that was NOT modified appeared in the diff compare nor why it was missing from the policy where it clearly indicates it should exist ???
We have tried various tests with TAC, but troubleshoot files don't indicate any issues & TAC have NOT been able to replicate it in a lab, nor restore my backups, as they have discovered that physical FMC backup will NOT restore to Virtual LAB vFMC.
Has anyone else experienced any weird rule issues ?
Points to note,
FMC diff compare does NOT record actual rule numbers, it numbers the changes as Rule1-RuleX as they are made, no relation to the rulebase rule number, only the Rulename is consistent with the rulebase.
The audit log does NOT record changes to policy, only the policy save diff compare shows changes made between policy opened & new policy saved.
I have encountered a similar issue with Firepower 6.7.0 managed with FDM. In my base, site-site VPN configs were lost and had to be recreated manually. TAC was likewise unable to replicate - even though they observed it happening in real time on the production Firepower 2140 HA pair.
Thanks Marvin, at least I'm not going crazy. I have spent a while looking at previous diff compares & I don't see this replicated previously. As an indication there have been over 5000 successful policy changes in the last 14 months.
As a precaution we are now viewing policy diff compares before applying policy & only applying policy out of core hours, which is a pain.
The Cisco Secure Firewall and SecureX teams are looking for feedback from active Secure Firewall users who may or may not have already activated SecureX. Your responses will help us improve the Firepower experience in SecureX. Th...
Related documentsCisco ISE (Identity Services Engine) IPv6 features by release2.6ISE ManagementNetwork Time Protocol SupportDomain Name System SupportExternal RepositoriesAudit Logs and ReportsSimple Network Management ProtocolAccess Control Lists And Dyn...
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 184.108.40.206Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 220.127.116.11R1(config-ikev2-keyring-pee...