Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
942
Views
1
Helpful
5
Replies

Question on syslog message %FTD-6-302013 after transition from ASA

spfister336
Level 2
Level 2

‎06-01-2022 06:55 AM

We are analyzing the logs from all of our devices. Recently, a question came up on the %FTD-6-302013 message. It appears to be only happening on outbound connections from the inside network to the outside. We never see messages like that for connections inbound into the inside network. There really isn't much of anything allowed to make new connections from the outside into our network. Does this message not get generated for blocked connections?

1 person had this problem
0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎06-01-2022 07:28 AM

until we see you ACP rule we are not sure how that error related to

 

check the more explanation of Logs

https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide/syslogs3.html#con_4770603

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

spfister336
Level 2
Level 2
In response to balaji.bandi

‎06-01-2022 08:05 AM

Any particular rule that you need to see?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-01-2022 12:08 PM

Blocked connections are only connection attempts. If the tcp SYN packet is blocked then no %FTD-6-302013 message is generated.

0 Helpful

spfister336
Level 2
Level 2
In response to Marvin Rhoads

‎06-06-2022 11:50 AM

Thanks for the responses. I think the question I am being asked and I'm trying to research is this:

 

It looks like for an outbound connection the syslog message is written to the log as a connection inbound into the inside interface. Is there any way to get it to be logged as an outbound connection through the outside interface? I think the log analyzer may be getting confused by what is an outbound connection from our network, and there is an 'inbound' keyword in the message.

MakoWish
Level 1
Level 1

‎03-22-2023 12:27 PM

We are seeing the same thing. Messages that are clearly outbound are showing as `inbound`, and some inbound messages are showing as `outbound`. Our SIEM is throwing false-positives for this, as the ML jobs are alerting inbound port scans (that are being blocked) as outgoing connections to known-malicious IP addresses. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card