No Audit log on the Firepower Management Console for Access Control Policy changes

alaporte3 · ‎05-02-2017

Hi,

I'm just checking here to see if anyone else is aware that in the latest release of Cisco Firepower Management Center there is not audit trail for changes to the access control policy.

Now I consider the ability to log policy changes to be a requirement of a security management device but I recently discovered that this is not possible.

I have a TAC case open regarding this but they said all they can do is request this as a feature enhancement.

I'm not sure that I will be able to continue the use of the product if you cannot tell who made what changes and when. I'm hoping that someone else has come across this can has either a work around but as of yet I have found none.

Andy

Marvin Rhoads · ‎05-02-2017

You do get an audit log event that an access control policy has been changed (and by whom) as well as an audit event for the deployment. I just verified this on an FMC with the current 6.2.0.1 software.

You do not see the details of what the changed rules are in the audit event. I don't know of an easy way to see those changes retrospectively.

If any of the component policies (Intrusion, File etc.) are changed, you can compare them, includng revisions of a given policy.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/60/configuration/guide/fpmc-config-guide-v60/Policy_Management.html#task_ABA1FE48DBBB44BC9FF40243FCC58BF6