06-27-2019 02:42 PM - edited 02-21-2020 09:15 AM
Hello,
I've recently come across an issue where there are no Intrusion Events being populated in the FMC. The last Intrusion event log was about 10 days ago, but now there is "No Data" under Overview -> Intrusion and when I go to Analysis -> Intrusion -> Events; there are no events being shown.
Nothing has changed configuration wise, but the FMC was upgraded to 6.4.0 while the sensors are running on 6.1.0/6.2.0.
Any Ideas or suggestions?
Thanks for help.
06-30-2019 08:54 PM
A couple of things to check:
Is the device enabled with IPS license
Do you have an IPS policy applied to an Access Control Policy
Is logging enabled for the IPS events
Generate some IPS events manually and check again. It is perhaps possible that there has not been any intrusions in the time window that you are checking for :)
Thank you for rating helpful posts!
07-01-2019 07:09 AM
Thanks for the reply nspasov.
To answer the questions; we do have IPS license as well as a few intrusion policies applied to the Access Control Policies configured. Everything on the configuration side appears to be set and working; it's just that the intrusion events stopped suddenly on the 18th. I am not sure if it is because we have Variable Sets defined with networks? Or if this is due to the FMC running on 6.4.0 while the sensors are running on 6.1.0/6.2.0.
Also, what is the best way to generate some manual IPS events to check on this?
I am fairly new to the Sourcefires, so I REALLY appreciate the feedback/assistance.
Thank you!
07-05-2019 10:34 PM
It is possible that you are hitting a defect associated with version 6.4. However, I just tested this in my lab and I am definitely seeing intrusion events in my event viewer. What patch level are you running? I tested this while running with patch-1. Patch-2 just got released and it resolves a good amount of defects.
With regards to generating IPS events. I use the wonderful and free version of Qualys Community Edition:
https://www.qualys.com/community-edition/
You can scan a few IPs for free and if you find it useful, you can always get the paid version.
I hope this helps!
Thank you for rating helpful posts!
11-05-2019 02:37 AM
08-20-2019 09:11 PM
Hi, iolide
Did you find a solution for this? I'm having the same issue. When trying to see if there is some intrusion events, we don't see anything. I attached the screenshoot I took.
We have already configured an IPS policy and apply it to an Access Control Rule too. I've been watching videos and reading many documenation, but I haven't found the solution yet.
10-14-2019 06:48 AM
Same issue for me here since 6.4.0 upgrade, but only on one of the HA FMC? Swapping to secondary has intrusion events.
10-19-2022 04:14 AM
i too have same issue after reboot on only one of the HA pair, did u find any resolution ?
10-19-2022 08:16 AM
This can be caused by the following bug: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCwb59619
If you are hitting that, a reboot will clear it.
10-19-2022 04:10 AM
did u find any solution for this , iam still having issue
01-04-2023 08:35 AM
Hi
did you find solution , i am having the same issue.
Thanks in advace
07-07-2021 12:32 PM
Hi, iolide.
Did you find a solution for this? I'm having the same issue.
Thank you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide