cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1981
Views
0
Helpful
6
Replies
Beginner

No Intrusion Events populating in the FMC

Hello,

 

I've recently come across an issue where there are no Intrusion Events being populated in the FMC. The last Intrusion event log was about 10 days ago, but now there is "No Data" under Overview -> Intrusion and when I go to Analysis -> Intrusion -> Events; there are no events being shown. 

 

Nothing has changed configuration wise, but the FMC was upgraded to 6.4.0 while the sensors are running on 6.1.0/6.2.0.

Any Ideas or suggestions?

 

Thanks for help.

 

6 REPLIES 6
Highlighted
Cisco Employee

Re: No Intrusion Events populating in the FMC

A couple of things to check:

Is the device enabled with IPS license

Do you have an IPS policy applied to an Access Control Policy

Is logging enabled for the IPS events

Generate some IPS events manually and check again. It is perhaps possible that there has not been any intrusions in the time window that you are checking for :)

Thank you for rating helpful posts!

Highlighted
Beginner

Re: No Intrusion Events populating in the FMC

Thanks for the reply nspasov.

 

To answer the questions; we do have IPS license as well as a few intrusion policies applied to the Access Control Policies configured. Everything on the configuration side appears to be set and working; it's just that the intrusion events stopped suddenly on the 18th. I am not sure if it is because we have Variable Sets defined with networks? Or if this is due to the FMC running on 6.4.0 while the sensors are running on 6.1.0/6.2.0. 

 

Also, what is the best way to generate some manual IPS events to check on this?

 

I am fairly new to the Sourcefires, so I REALLY appreciate the feedback/assistance.

 

Thank you!

Highlighted
Cisco Employee

Re: No Intrusion Events populating in the FMC

It is possible that you are hitting a defect associated with version 6.4. However, I just tested this in my lab and I am definitely seeing intrusion events in my event viewer. What patch level are you running? I tested this while running with patch-1. Patch-2 just got released and it resolves a good amount of defects. 

With regards to generating IPS events. I use the wonderful and free version of Qualys Community Edition:

https://www.qualys.com/community-edition/

You can scan a few IPs for free and if you find it useful, you can always get the paid version. 

I hope this helps!

Thank you for rating helpful posts!

Highlighted
Beginner

Re: No Intrusion Events populating in the FMC

In my environment the firings last about 2 hours and then stop.
Highlighted
Beginner

Re: No Intrusion Events populating in the FMC

Hi, iolide

 

Did you find a solution for this? I'm having the same issue.  When trying to see if there is some intrusion events, we don't see anything.  I attached the screenshoot I took.

 

We have already configured an IPS policy and apply it to an Access Control Rule too.  I've been watching videos and reading many documenation, but I haven't found the solution yet.

 

 

 

 

Highlighted
Beginner

Re: No Intrusion Events populating in the FMC

Same issue for me here since 6.4.0 upgrade, but only on one of the HA FMC? Swapping to secondary has intrusion events.