12-11-2018 04:37 AM - edited 02-21-2020 08:33 AM
Hello guys!
I have no experience with FTD firepower and I'm lost with the monitoring.
In the ASA using ASDM I can make monitoring in real time to se where the traffic is blocking or not, but I have no idea how can I do it using Firepower.
Anyone can help me with this case?
Thanks
Marcio
Solved! Go to Solution.
12-11-2018 05:11 AM
Hi Marcio
With in the FMC (Firepower Management Center), you can use Analysis > Connection events to filter and drill down on standard connection events that pass through the managed devices.
You can use Analysis > Intrusion Events to assess what is being blocked/monitored by the Snort engine.
Also, if you have the network discovery policy configured to build up host intelligence of your internal protected nodes (Desktops, laptops, servers etc), Analysis > Context Explorer will give you accurate IOCs (Indications of Compromise) and what devices/alerts should be triaged first.
As a general rule of thumb, the Intrusion alerts are rated 1-4 then 0 (1 being critical, 0 being informational). Look at the critical ones first.
The Access Control Policy ties in all the 'sub policies' together (File/Malware, Prefilter (Layer 1-4), Intrusion (> Layer 7), SSL, DNS etc.)
Hope this helps.
Phil
12-11-2018 05:11 AM
Hi Marcio
With in the FMC (Firepower Management Center), you can use Analysis > Connection events to filter and drill down on standard connection events that pass through the managed devices.
You can use Analysis > Intrusion Events to assess what is being blocked/monitored by the Snort engine.
Also, if you have the network discovery policy configured to build up host intelligence of your internal protected nodes (Desktops, laptops, servers etc), Analysis > Context Explorer will give you accurate IOCs (Indications of Compromise) and what devices/alerts should be triaged first.
As a general rule of thumb, the Intrusion alerts are rated 1-4 then 0 (1 being critical, 0 being informational). Look at the critical ones first.
The Access Control Policy ties in all the 'sub policies' together (File/Malware, Prefilter (Layer 1-4), Intrusion (> Layer 7), SSL, DNS etc.)
Hope this helps.
Phil
12-11-2018 05:41 AM - edited 12-11-2018 05:42 AM
Hello Phil!
thanks for your support.
I tried as you said, but after go to "Analysis > Connection events", I have many option in the "jump to" as I can show in the attached, if I change to "host" for example, I have no result.
Or If I make a filter by network and put the IP of the host, again I have no result. Do you know why?
thanks
12-11-2018 07:06 AM
Hi,
Do you have an ACP configured with logging enabled?
Cheers
Phil
12-11-2018 07:06 AM
12-11-2018 07:14 AM
sorry, but what is ACP?
12-11-2018 07:19 AM
ACP is access control policy. It's where all the ACL (Access control list) style rules and additional upto Layer 7 inspection is configured.
Check this out:
https://networkdirection.net/articles/asa/firepowermanagementcentre/fmcaccesscontrolpolicies/
Have you added your FTD devices to the FMC already? do you have licensing sorted? (if not, no problem, use evaluation mode for a 90 day window)
12-11-2018 07:21 AM
Yes I have the ACP configured and the device is on the FMC phisical appliance with the the normal license (not evaluation).
12-11-2018 07:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide