02-27-2020 01:08 AM
Hi all
I am just wondering what other guys are doing, working with Firepower, when they quickly want to log a blocked request from a client? Similar to the ASDM logging windows we have with the ASA firewalls, there where we can simply add the IP address we want to log into the search field and then getting the blocked event (for example because a port is not correct or any other reason). Done within 30 seconds.
What is a pragmatical approach to log such as request without the need of seeting up syslog, syslog servers etc.? Just to log a simple request?
Thanks all of you
Markus
Solved! Go to Solution.
02-27-2020 03:36 AM
Query the connection events in FMC (or FDM) is one way.
Another is to watch firewall-engine debug from the cli while the client attempts to establish the connection.
A third is to run packet-tracer.
A fourth is to do packet-capture.
02-27-2020 03:36 AM
Query the connection events in FMC (or FDM) is one way.
Another is to watch firewall-engine debug from the cli while the client attempts to establish the connection.
A third is to run packet-tracer.
A fourth is to do packet-capture.
02-27-2020 04:55 AM
Hi Marvin
Thanks for this quick answer. The command system support firewall-engine-debug is a great one, really straight forward. Do you have somehow a link which describes your two other options with the packet tracer and packet capture a bit closer?
Thanks
Markus
02-27-2020 08:23 AM
I recommend @Nazmul Rajib's book on Firepower Threat Defense. It has lots of detailed examples on using FTD's packet-tracer and packet-capture commands.
It's available via the usual venues - I use Safari/O'Reilly as part of my ACM membership to access it.
You could also check out Cisco Live presentation BRKSEC-3455 Dissecting FTD Architecture and Troubleshooting which can be downloaded for free.
02-28-2020 12:56 AM
Thank you Marvin for your inputs. Very helpful
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: