If a device is not reporting usage, there are a number of possible causes.
This article will cover the common causes and how to resolve them.
Before going through these steps we recommend you verify that you have completed the steps to configure your device to log to the Data Collector as per our guides.
While most stand alone firewalls use syslog, some can use Hit Counters and Check Point devices will use Log Export API (LEA).
Our guides cover this in detail.
The guides are available from the User Center.
https://usercenter.firemon.com/Documentation
Collecting usage data is not required for Security Manager.
However it does provide useful information, that can then be used to improve the firewall policy.
A device must have a normalized config before usage can be matched, if you have a retrieval or normalization exception issues, they must be resolved before usage will be collected.
NOTE: Usage data is sent from the Data Collector to the Application Server every 10 minutes by default.
In some cases, it can take 2 -3 Log Update Intervals (10 minutes) for the usage data to be updated within the application
If you have recently configured a device or updated its log settings, please wait 20 to 30 minutes before making further changes.
Usage can be collected by the Data Collector using 3 different methods, some are specific to a device vendor.
The 3 methods for collecting usage data are
Syslog - this is standard for most devices.
Hit Counter - a option for specific devices, for example, Cisco ASA and Juniper SRX.
LEA - Log Export API, for Check Point devices only.
Syslog is the most common method to collect usage from a device and will be covered in the article.
The device must be configure to send its logs to the DC.
However, there are 3 different ways that syslog usage messages are matched to each device.
The simplest method is a 1 to 1 match. The syslog usage message arrives from a source address that matches the management IP address for the device, so the usage is for that device.
The next method is a alternate to 1 address, this is needed when the device sends it log messages from a source IP address that is different to the management IP address that is configured in Security Manager.
NOTE: This setup should be used for Cisco ASA Context devices, while they have a common management IP address that is used for retrievals, their syslog messages will be sent from a unique IP address that is local to each Context.
This is the only time that virtual firewalls are configure without a Central Syslog Server object.
The most complex syslog setup is many to 1, this is required when multiple devices send their logs via a single IP address. This is common for VDOM and VSYS devices and when logs are sent via another syslog server like syslogd, rsyslogd, syslog-ng, splunk or kiwi, for example.
In this scenario, you must configure a Central Syslog Server object via the Administration page.
The Central Syslog Server (CSS) object is then applied to each device that sends logs from that IP address.
The CSS object must then be assigned to each device that sends its logs from that IP address.
The "Syslog Match Names" are used to match the syslog messages to a specific device.
For Fortinet and Palo Alto devices the serial number of the hardware device is used.
Cisco maybe the device hostname or IP address, it depends on what is sent in the message.
Verify messages arriving at the DC.
If you are still not getting usage you can this this command to confirm that messages are arriving at the Data Collector.
tshark -nni any host x.x.x.x and port 514
where x.x.x.x is the IP address of the device you are checking.
This will only display syslog (UDP 514) packets from the device.
All syslog messages from the device will be displayed, even if they are not used for usage matching.
Here is a example, these are usage messages and the device is 10.250.0.190 and the DC is 10.250.0.100.
148 75.207557028 10.250.0.190 → 10.250.0.100 Syslog 208 LOCAL4.INFO: %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(37980) -> ext-net/192.168.0.10(443) hit-cnt 1 first hit [0x15616986, 0x2e6b9b14]\n
149 76.216279065 10.250.0.190 → 10.250.0.100 Syslog 208 LOCAL4.INFO: %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(60724) -> ext-net/192.168.0.11(443) hit-cnt 1 first hit [0x15616986, 0x2e6b9b14]\n
150 77.228726509 10.250.0.190 → 10.250.0.100 Syslog 207 LOCAL4.INFO: %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(37578) -> ext-net/192.168.0.12(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n
151 78.235816144 10.250.0.190 → 10.250.0.100 Syslog 207 LOCAL4.INFO: %ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(47274) -> ext-net/192.168.0.11(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n
If there are no messages arriving, then the device is not configured to send its messages to the DC, or the syslog traffic is blocked between the device and DC.
It is also possible that the messages are arriving with a different IP address.
You can also view how the logs are processed by the Data Collector service, with the dcdebug command
dcdebug |grep x.x.x.x
where x.x.x.x is the IP address of the device.
dcdebug |grep 10.250.0.190
2021-08-30T04:06:49.551 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009R] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(47416) -> ext-net/192.168.0.11(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n]
2021-08-30T04:06:50.563 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009S] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(47418) -> ext-net/192.168.0.11(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n]
2021-08-30T04:06:51.590 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009T] from [10.250.0.190]: [<164>%ASA-4-106023: Deny tcp src inside:10.250.0.200/45130 dst ext-net:192.168.0.11/25 by access-group "inside_access_in" [0xbe9efe96, 0x0]\n]
2021-08-30T04:06:51.590 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009V] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(38134) -> ext-net/192.168.0.10(443) hit-cnt 1 first hit [0x15616986, 0x2e6b9b14]\n]
2021-08-30T04:06:52.597 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009W] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(60878) -> ext-net/192.168.0.11(443) hit-cnt 1 first hit [0x15616986, 0x2e6b9b14]\n]
2021-08-30T04:06:53.589 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009X] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(37732) -> ext-net/192.168.0.12(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n]
2021-08-30T04:06:54.630 [7f2bd77fe700] DEBUG SyslogUdpServer - [40VH9C] Received message [m-3-009Y] from [10.250.0.190]: [<166>%ASA-6-106100: access-list inside_access_in permitted tcp inside/10.250.0.200(47428) -> ext-net/192.168.0.11(80) hit-cnt 1 first hit [0x15616986, 0x6ac714d8]\n]
The device IP address must be shown in this initial part of the message, here is it 10.250.0.190
Received message [m-3-009R] from [10.250.0.190]
If the IP address is matched elsewhere then it is log message from another device, that references the IP you are searching for.
Each Data Collector has reports that can provide more information about its operations.
You can review two related to Syslog Usage with these commands
fmos logview --no-pager /var/log/firemon/dc/reports/syslogMessagesReport.txt
fmos logview --no-pager /var/log/firemon/dc/reports/usageReport.txt
fmos logview --no-pager /var/log/firemon/dc/reports/usageMatchingReport.txt
If you are not sending syslog messages to the Data Collector or the device is not passing any traffic, then the device Health status will show a warning for Usage.
You can disable Log Monitoring for that device, to remove the warning.
If you are still having device retrieval issues, please open a Support ticket for further assistance.
Comments
0 comments
Article is closed for comments.