05-12-2020 01:32 AM
Hi, I am getting an alert on Cisco FMC for IPS. The Snap is attached. Is that normal or we have any fix for that?
Solved! Go to Solution.
05-12-2020 07:25 AM
It will stop all interface alerts. Unfortunately you cannot choose among the interfaces to which this Health Monitor applies.
But then FMC isn't really the right tool to monitor your interfaces - an NMS like PRTG, SolarWinds, Prime Infrastructure etc. is better suited for that task.
Later releases of Firepower fix the issue - I'm not sure exactly which one addressed it but it's fixed in the current 6.6 release.
05-12-2020 05:22 AM
It's not an IPS alert, it's a Health monitor alert. We normally see those when you are managing the Firepower service modules in an ASA HA pair. The standby unit will not be seeing any data traffic and thus generate the alert. If that's your case, the alert can be safely ignored.
The only work around for it is to blacklist interface monitoring in the Health Policy.
If you're not seeing it as coming from the standby unit in an HA pair then we have further troubleshooting to do.
05-12-2020 05:31 AM
Many thanks for your quick valuable response. Could you please share how I can blacklist the interface so the alert should not show up. Your reply is awaited, please.
05-12-2020 06:00 AM
You're welcome.
In FMC, go to System > Health > Policy and click on the "Interface Status" setting. There you should see an option to disable the checks.
05-12-2020 06:03 AM
Many thanks again. I will apply and update here the result.
05-12-2020 07:21 AM - edited 05-12-2020 07:22 AM
If we do this. Will it stop any other legitimate alerts associated with this interface?
05-12-2020 07:25 AM
It will stop all interface alerts. Unfortunately you cannot choose among the interfaces to which this Health Monitor applies.
But then FMC isn't really the right tool to monitor your interfaces - an NMS like PRTG, SolarWinds, Prime Infrastructure etc. is better suited for that task.
Later releases of Firepower fix the issue - I'm not sure exactly which one addressed it but it's fixed in the current 6.6 release.
05-12-2020 08:11 AM
Yes I agreed. Many thanks for your prompt response.
05-12-2020 08:40 AM
I have configured the email alerts on FMC and getting notifications which are good but I am getting alerts every 5 minutes for this (interface 'dataplaneinterface0' is not receiving any packets). Is there any option if I can change the interval of this interface for regeneration? I plan not to disable this otherwise all legitimate alerts will be disabled as well.
05-12-2020 09:01 AM
The Health Policy (for all monitored subsytems) runs every 5 minutes by default. You cannot change it per subsystem.
So if you choose not to blacklist the interface events and have your FMC configured to email alerts you will get that email every five minutes. In that case, it may be easier to make an email rule to delete or file the ones with the predictable string in the body.
05-12-2020 09:50 PM
Thanks, FMC alert features are so limited. Not much control over it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide