Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2324
Views
0
Helpful
1
Replies

Not getting IPS events on Firepower Management Center

msantiveri
Level 1
Level 1

‎09-20-2016 04:09 AM - edited ‎03-10-2019 06:41 AM

Hello,

I have 3 SFR modules on monitor-only mode within a virtualized ASAs registered on a Cisco Firepower Management Center for VMWare 6.0.1 . I can see normal traffic statistics on the dashboard but even I tuned signatures to generate IPS alerts for any ICMP echo reply I don't see anything.

The licenses are applied, access policy is applied and intrusion policiy is also created and linked to the access policy on the default action.

Could anyone help me to find where the problem is?

Relevant configuration on virtual firewall:

class-map global-class
 match any

policy-map global_policy
 class global-class
  sfr fail-open monitor-only

MUA-FW1/ACCESS# sh service-policy sfr

Global policy:
  Service-policy: global_policy
    Class-map: global-class
      SFR: card status Up, mode fail-open monitor-only
        packet input 0, packet output 626950891, drop 0, reset-drop 0

MUA-FW1/ACCESS# sh module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   0 ASA 5515-X with SW, 6 GE Data, 1 GE Mgmt, AC ASA5515            -Deleted-
 ips Unknown                                      N/A                   -Deleted-
cxsc Unknown                                      N/A                    -Deleted-
 sfr FirePOWER Services Software Module           ASA5515            -Deleted-


Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 ips Unknown                        No Image Present Not Applicable
cxsc Unknown                        No Image Present Not Applicable
 sfr ASA FirePOWER                  Up               6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   0 Up Sys             Not Applicable        
 ips Unresponsive       Not Applicable        
cxsc Unresponsive       Not Applicable        
 sfr Up                 Up                    

Mod  License Name   License Status  Time Remaining
---- -------------- --------------- ---------------
 ips IPS Module     Disabled        perpetual    

Thanks,

Miquel

1 person had this problem
Labels:
0 Helpful
1 Reply 1

jawalam
Cisco Employee
Cisco Employee

‎01-11-2018 10:16 PM

Hi, 

 

We would suggest you to follow below steps to verify if IPS policy is working fine or not.

 

- Modify the intrusion policy in use and enabled the portscan detection / ICMP detection snort id 408.

- Assign a Network Analysis to the Access Control policy in use on the FirePOWER Management Center, and adjust the preprocessor settings.

-after deployment of the policy, initiate the traffic for ICMP and verify under intrusion events.

 

Regards

Jawed

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card