Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
2
Helpful
7
Replies

FTD Missing Logs

Go to solution
dcanady55
Level 3
Level 3

‎11-13-2024 11:25 AM

FTD 7.4.1

I’m currently troubleshooting an issue with our FTD and I’m unable to generate logs, which is puzzling. I ran a system support trace that produced a few logs with an ID, and I matched that ID to my access list, confirming that logging is enabled for that rule to both syslog and FMC. However, when I execute the system support firewall-engine-debug command on the server, no logs appear. Additionally, nothing shows up under unified events in the FMC.

I have Wireshark running on the server and can see it’s communicating with the destination IP's I’m interested in, yet I’m still not getting any logs. When I run a debug with the server IP address open, I receive results for other random destinations, but not for the specific IPs I’m targeting. I’ve verified that the routing for those IPs follows the expected path. I can also set up a capture on the FTD interface and confirm that packets are flowing in and out, indicating traffic is indeed passing through the firewall.

I can understand not seeing logs in unified events if I’m looking at the wrong rule or if logging to the FMC isn’t enabled for the actual rule being hit. However, I’m confused as to why those destination IPs aren’t appearing in my debug output. Any insights would be appreciated!

 

Thanks

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dcanady55
Level 3
Level 3
In response to Aref Alsouqi

‎11-14-2024 05:09 AM

Aref,

I tried both approaches while searching for a specific destination IP and port, but neither worked. As I mentioned in my original post, I used the support trace, which indicated the rule I thought was being applied. However, when I checked my syslogs, I was surprised to find that my raw logs revealed a different rule. This particular rule didn’t have logging enabled for the FMC. Once I enabled logging, I could see the logs in the unified events, which made sense, but they also started appearing with debug information on the CLI. That part is still confusing to me, but it seems to have resolved the issue.

Thanks,

View solution in original post

7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎11-13-2024 11:59 AM

can you more elaborate

MHM 

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to MHM Cisco World

‎11-13-2024 12:14 PM

I can try. 

Simply put server A is talking to server B and those communications are 100% taking place but yet I cannot run debugs on the FTD CLI and capture any of those packets. I can run a packet capture on the DMZ interface and see server A talking to B just fine so why don't my logs show up in debug? Other logs do when I remove server B's IP and just leave it wide open and can see A talking to other destinations, I'm not interested in. 

 

dcanady55_0-1731528675426.png

 

Go to solution
MHM Cisco World
VIP
VIP
In response to dcanady55

‎11-13-2024 12:22 PM

support firewall-engine-debug <<- this for snort so if you run prefilter the packet will not detect by snort 

use capture in interface with trace instead 

MHM

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to MHM Cisco World

‎11-13-2024 01:22 PM

I'm not running this traffic through pre-filter nor am I trusting it on my access rule. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to dcanady55

‎11-14-2024 03:40 AM

Does the rule that should match traffic from server A to B is the same as the one you referred to when you said it shows the logs of the other destinations or is it a different rule? if they are different is there any difference in terms of logging configs on those rules? Also, when you ran the firewall engine debug command, did you specify the protocol or any ports?

0 Helpful

Go to solution
dcanady55
Level 3
Level 3
In response to Aref Alsouqi

‎11-14-2024 05:09 AM

Aref,

I tried both approaches while searching for a specific destination IP and port, but neither worked. As I mentioned in my original post, I used the support trace, which indicated the rule I thought was being applied. However, when I checked my syslogs, I was surprised to find that my raw logs revealed a different rule. This particular rule didn’t have logging enabled for the FMC. Once I enabled logging, I could see the logs in the unified events, which made sense, but they also started appearing with debug information on the CLI. That part is still confusing to me, but it seems to have resolved the issue.

Thanks,

Go to solution
MHM Cisco World
VIP
VIP
In response to dcanady55

‎11-14-2024 07:19 AM

I send you PM check it 

MHM

0 Helpful
Customers Also Viewed These Support Documents