Solved: If you customize a query

Richard Persaud · ‎05-24-2017

Hello,

We are using FTD 6.2.0.1

We are troubleshooting an issue and are trying to figure out, how we can follow a particular connection and see which signatures are firing for that connection, in real time - or as close to real time as possible?

Any help you can give is greatly appreciated.

Thank you!

Marvin Rhoads · ‎05-25-2017

If you customize a query under connection events you can narrow down the volume of events to the host or hosts you are interested in.

You will see everything with a lag of a minute or two between a sensor recording the event, sending it to FMC and FMC parsing and entering it in the connection record database.

Also realize FTD 6.1 and later includes packet capture and tracer features like is on the classic ASA with the addition of showing you the FirePOWER policies that are hit (if any).

The following document describes working with those tools:

http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200867-Working-with-Firepower-Threat-Defense-F.html

View solution in original post

Marvin Rhoads · ‎05-25-2017

If you customize a query under connection events you can narrow down the volume of events to the host or hosts you are interested in.

You will see everything with a lag of a minute or two between a sensor recording the event, sending it to FMC and FMC parsing and entering it in the connection record database.

Also realize FTD 6.1 and later includes packet capture and tracer features like is on the classic ASA with the addition of showing you the FirePOWER policies that are hit (if any).

The following document describes working with those tools:

http://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200867-Working-with-Firepower-Threat-Defense-F.html

How to view signature triggers real time