Skip to main content

 

 

Cisco Defense Orchestrator

Troubleshooting Using Security and Analytics Logging Events

Here is a basic framework you can use to troubleshoot network problems using the Events Viewer.

This scenario assumes that your network operations team has had a report that a user can't access a resource on the network. Based on the user reporting the issue and their location, the network operations team has a reasonable idea of which firewall controls their access to resources.

Note: This scenario also assumes that a Firepower Threat Defense (FTD) device is the firewall managing the network traffic. Security Analytics and Logging does not collect logging information from other device types.

  1. In the navigation pane, click Monitoring > Event Logging.
  2. Click the Historical tab.
  3. Start filtering events by Time Range. By default, the Historical tab shows the last hour of events. If that is the correct time range, enter the current date and time as the End time. If that is not the correct time range, enter a start and end time encompassing the time of the reported issue.
  4. Enter the IP address of the firewall that you suspect is controlling the user's access in the Sensor ID field. If it could be more than one firewall, filter events using attribute:value pairs in the search bar. Make two entries and combine them with an OR statement. For example: SensorID:192.168.10.2 OR SensorID:192.168.20.2.
  5. Enter the user's IP address in the Source IP field in the Events filter bar.
  6. If the user can't access a resource, try entering that resource's IP address in the Destination IP field.
  7. Expand the events in the results and look at their details. Here are some details to look at:  
  • AC_RuleAction - The action taken (Allow, Trust, Block) when the rule was triggered.
  • FirewallPolicy - The policy in which the rule that triggered the event resides. 
  • FirewallRule - The name of the rule that triggered the event. If the value is Default Action then it was the default action of the policy that triggered the event and not one of the rules in the policy.
  • UserName - The user associated with the initiator IP address. The Initiator IP address is the same as the Source IP address. 
  1. If the rule action is preventing access, look at the FirewallRule and FirewallPolicy fields to identify the rule in the policy that is blocking access.