Interface & Security Zone

dcanady55 · ‎07-27-2023

Hello,

FTD & FMC 7.3

I am setting up Netflow and decided to use a physical interface for this process. The help section says an interface can belong to only one security zone. However, can multiple interfaces belong to the same zone Inside in my case? I'm getting an error to many interfaces in security zone / interface group.

Thanks,

MHM Cisco World · ‎07-27-2023

https://support.auvik.com/hc/en-us/articles/360025288852-How-to-configure-NetFlow-on-Cisco-devices-with-Firepower-Management-Center

Marvin Rhoads · ‎07-27-2023

As noted in the linked article, we generally setup Netflow records to be exported from the management interface.

MHM Cisco World · ‎07-27-2023

Yes as share link, I think his issue is he is using INside not Mgmt.
hope this link help him
thanks

dcanady55 · ‎07-27-2023

To confirm you are referring to the management IP address that I have configured under the device tab of said FTD, I tried that address and wasn't successful for some reason. Under interfaces themselves, there's a box for enabled and management, but management is grayed out, so I wanted to make sure you're not talking about enabling that under a physical interface. I will review the article, as maybe I missed something.

dcanady55 · ‎08-01-2023

I setup my diagnostic interface as management and gave it an IP address that falls under the management subnet. Flexconfig took the commands, so I believe I'm all set. How can I confirm flows are being sent, though, as I'm not seeing anything at the collector yet? I tried setting up a packet capture on the FTD CLI to the management interface using any command, but nothing is being sent.

dcanady55 · ‎08-08-2023

@Marvin Rhoads , or @MHM Cisco World

When I run the command "show flow-export counters," this number does increase, yet when I use wireshark on the collector, nothing from this FTD appears. I have setup ASP drop captures, and nothing was found there as well. Is there a way to validate that flows are being sent outside of this counter? Like I previously mentioned, when I setup a packet capture on the MGT interface, there were no packets. I can ping the collector from FTD CLI, so I'm not sure what else I can look at.

Thanks

Marvin Rhoads · ‎08-10-2023

When you ping the collector from the FTD cli did you use "ping system"?

dcanady55 · ‎08-10-2023

Hi Marvin,

Thanks for the suggestion, as I did not know about this command. I ran the ping this way, and it was successful. However, on the collector, I was running wireshark and noticed that the source was the MGT IP found under the device tab of that FTD. Per that document, MHM posted I took my diagnostic interface and labeled it management and gave it an IP address inside the same subnet found under my device tab's management's space. If I go into the diagnostic CLI on the FTD and try to source my pings from the management interface that I setup under the diagnostic interface to the collector, it fails. I assume that I must create a rule for this traffic but wasn't sure as there's no mention of it in that document nor Cisco's official documentation.

dcanady55 · ‎08-10-2023

I ran a packet capture looking for ASP drops and ran a ping inside the diagnostic CLI sourcing from my new management IP to my collector and the asp output is the following. I don't know what that is yet but assuming something with routing.

1: 18:15:29.120187 10.80.5.10 > 10.93.200.36 icmp: echo request Drop-reason: (no-adjacency) No valid adjacency, Drop-location: frame 0x000000aaacd9bccc flow (NA)/NA