05-24-2017 02:19 PM - edited 03-10-2019 06:50 AM
Hello,
We are using FTD 6.2.0.1
We are troubleshooting an issue and are trying to figure out, how we can follow a particular connection and see which signatures are firing for that connection, in real time - or as close to real time as possible?
Any help you can give is greatly appreciated.
Thank you!
Solved! Go to Solution.
05-25-2017 05:31 AM
If you customize a query under connection events you can narrow down the volume of events to the host or hosts you are interested in.
You will see everything with a lag of a minute or two between a sensor recording the event, sending it to FMC and FMC parsing and entering it in the connection record database.
Also realize FTD 6.1 and later includes packet capture and tracer features like is on the classic ASA with the addition of showing you the FirePOWER policies that are hit (if any).
The following document describes working with those tools:
http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200867-Working-with-Firepower-Threat-Defense-F.html
05-25-2017 05:31 AM
If you customize a query under connection events you can narrow down the volume of events to the host or hosts you are interested in.
You will see everything with a lag of a minute or two between a sensor recording the event, sending it to FMC and FMC parsing and entering it in the connection record database.
Also realize FTD 6.1 and later includes packet capture and tracer features like is on the classic ASA with the addition of showing you the FirePOWER policies that are hit (if any).
The following document describes working with those tools:
http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200867-Working-with-Firepower-Threat-Defense-F.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide