Cisco Cisco Firepower Management Center 2000 Guia De Resolução De Problemas
.
<Output Omitted>
.
. ===============[ Rule Set: (User) ]================ ---------------[ Rule: DenyGambling ]-----
---------- Action : Block ISE Metadata : Security Group Tags: [7:6] Destination Ports : HTTP
(protocol 6, port 80) HTTPS (protocol 6, port 443) URLs Category : Gambling Category : Streaming
Media Category : Hacking Category : Malware Sites Category : Peer to Peer Logging Configuration
DC : Enabled Beginning : Enabled End : Disabled Files : Disabled Safe Search : No Rule Hits : 3
Variable Set : Default-Set
Note: The Security Group Tags specifies two numbers:
[7:6]. In this set of
numbers, "7" is the unique ID of the local SGT database, which is
only known to FMC and sensor. "6" is the actual SGT number known to
all parties.
To view logs generated when SFR processes incoming traffic and evaluating access policy:
> system support firewall-engine-debug Please specify an IP protocol: Please specify a client IP
address: 10.201.229.88 Please specify a client port: Please specify a server IP address: Please
specify a server port: Monitoring firewall engine debug messages
Example of
firewall-engine-debug
for incoming traffic with inline tagging:
10.201.229.88-52243 > 104.28.4.103-80 6 AS 0 I 1 Starting with minimum 0, id 0 and IPProto first
with zones -1 -> -1,
geo 0(0) -> 0, vlan 0, sgt tag: 6, svc 676, payload 0, client 686, misc 0, user 9999999, url
http://www.poker.com/, xff 10.201.229.88-52243 > 104.28.4.103-80 6 AS 0 I 1:
DataMessaging_GetURLData: Returning URL_BCTYPE for www.poker.com 10.201.229.88-52243 >
104.28.4.103-80 6 AS 0 I 1 rule order 1, 'DenyGambling', URL Lookup Success:
http://www.poker.com/ waited: 0ms 10.201.229.88-52243 > 104.28.4.103-80 6 AS 0 I 1 rule order 1,
'DenyGambling', URL http://www.poker.com/ Matched Category: 27:96 waited: 0ms 10.201.229.88-
52243 > 104.28.4.103-80 6 AS 0 I 1 match rule order 1, 'DenyGambling', action Block
10.201.229.88-52243 > 104.28.4.103-80 6 AS 0 I 1 sending block response of 474 bytes
From the Expert Mode of a Firepower Device
Caution: The following instruction may impact the system performance. Run the command
only for troubleshooting purpose, or when a Cisco Support Engineer requests for this data.
only for troubleshooting purpose, or when a Cisco Support Engineer requests for this data.
Firepower module pushes User-IP mapping to local Snort process. To verify what Snort knows
about the mapping, you can use the following command to send query to Snort:
about the mapping, you can use the following command to send query to Snort:
> system support firewall-engine-dump-user-identity-data Successfully commanded snort.
To view the data, enter to the expert mode:
> expert
admin@firepower:~$
Snort creates a dump file under
/var/sf/detection_engines/GUID/instance-x
directory.
The name of the dump file is
user_identity.dump.
admin@firepower:/var/sf/detection_engines/7eed8b44-707f-11e6-9d7d-e9a0c4d67697/instance-1$ sudo
cat user_identity.dump Password:
---------------- IP:USER ---------------- ---------------- Host ::ffff:10.201.229.88 -----------
----- ::ffff:10.201.229.88: sgt 7, device_type 313, location_ip ::ffff:10.201.229.94
::ffff:10.201.229.88:47 realm 3 type 1 user_pat_start 0 ------------------- USER:GROUPS --------
----------- ~