I have found a problem with FMC logging on 6.6.1, and I'm wondering if anyone else has had the problem & maybe identified the root cause.
I was essentially troubleshooting what was blocking traffic on a particular server out to the internet. Looking at the connection events page, I saw (what I know now as) some connection events and not others, but no blockages. Please note, I have an explicit deny [server ip range] any log directly after the rules associated with this server so that block traffic is logged.
I was convinced the FW wasn't blocking it, so I made a temporary rule rule:
permit hostX to any on the outside zone (tick log at beginning AND log at end of connection in the policy). Got the user to access the address/port he said he couldn't access, and it worked. What bothers me is that I did not see the traffic even hitting the connection events page. So I did a capture w/Trace in the advanced troubleshooting section, and I was able to identify the traffic there instead. I add the missing rule (with both log @ beginng and end of connection) , and disable my temporary rule, and his connection works. However, I still do not see the connection event in the Anaylsys > Connections> Event viewer.
This is a real big ball-ache for me as I don't have time to run captures to work out missing rules. Has anyone had this, and found a solution?
No comments:
Post a Comment