ā01-19-2021 01:20 AM
I would like to know if it is possible to setup my Firepower 1010 using FDM to log events from when my users log on and off the anyconnect client,I can not find a option to setup.
Solved! Go to Solution.
ā01-27-2021 04:33 AM
The event viewer in FDM won't show messages related to VPN user logon/logoff. However those actions do generate syslog messages.
You can add a syslog server and then configure FTD to send events to it. They can be of a defined level (Emergency, Alert, Critical etc.) or you can create a customer filter with just the syslog messages you want. You'd then have to use the display in the syslog server to see the information.
That's not very useful but it's what's available natively as of FTD 6.7 when managed only with FDM. If you use FMC or CDO more useful displays are available - especially with CDO. It interacts with the FTD device via API to retrieve the relevant information and display it graphically.
ā01-19-2021 01:32 AM
FDM have limited capabilited, what is the source of authentiation ? you can get data from AD or Radius ? based on config?
ā01-19-2021 01:48 AM
Iām using local...
ā01-19-2021 02:22 AM
ā01-19-2021 01:59 AM
ā01-19-2021 04:56 PM
I can not see any about anyconnect login/logoff in event viewer using FDM...
Could you show me where can i find? please
ā01-27-2021 04:33 AM
The event viewer in FDM won't show messages related to VPN user logon/logoff. However those actions do generate syslog messages.
You can add a syslog server and then configure FTD to send events to it. They can be of a defined level (Emergency, Alert, Critical etc.) or you can create a customer filter with just the syslog messages you want. You'd then have to use the display in the syslog server to see the information.
That's not very useful but it's what's available natively as of FTD 6.7 when managed only with FDM. If you use FMC or CDO more useful displays are available - especially with CDO. It interacts with the FTD device via API to retrieve the relevant information and display it graphically.
ā12-15-2021 10:38 PM - edited ā12-16-2021 09:31 AM
Here is a basic step by step walkthrough on how to log Anyconnect VPN connections with FDM and FTD to a syslog server.
First, find out the syslog level that you want going to your syslog server. For example, I am using "Critical", so I will use that in this example.
1) Go to "Objects" -> "Event List Filters"
2) Click the "+" next to "Add a new Event List Filter"
3) Give the filter a name, such as "syslog-critical-withvpn"
4) Click the "+" next to "Severity and Log Class", choose "Critical", and click "OK"
5) Click "Please select Log Class" and checkmark the desired classes (I checkmarked all of them)
6) In the "Syslog Range / Message ID", enter "109201-109203"
7) Click "Add Another Syslog Range / Message ID" and enter "716001 - 716002"
10) Under "Syslog Servers", if you haven't added your server yet, click the "+" and add your server
11) Under "Message Filtering for Firepower Threat Defense", click "Custom Logging Filter" and choose "syslog-critical-withvpn"
12) Click "SAVE"
13) Deploy the changes
The secret here is the custom logging filter. The documentation is not clear whether the syslog level combines with the MessageID range, or filters by the MessageID range.
The answer is it COMBINES with the MessageID range, so you can have both!
(The FDM only allows you to pick only one custom filter for the syslog server, so that's why it is important to be able to do this)
And now you now have an easy way to add further Message Id's for syslogging, by simply going to edit the custom filter and adding more sets of Message Id's!
Here is a list of available syslog message ID's to pick from:
https://www.cisco.com/c/en/us/td/docs/security/firepower/Syslogs/b_fptd_syslog_guide.html
ā12-16-2021 03:39 AM
@bcoverstone nice write up - thanks for sharing your work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide