Is your Cisco FTD’s Sending IPS Events to your FMC? Are you receiving them all?

Not receiving IPS events on your FMC or not sure you are receiving them all? In this blog post, I’ll discuss the detection_engines, and the sftunnel and sfdatacorrelator FTD commands.

I know what you’re thinking: “No IPS events! Woo Hoo! I’m in the clear!” But are you? I had one customer tell me, and somehow he was serious: “Im so good, people are afraid to attack my network!“….uhm, okay, pal.

Unfortunately  there is not a command  we can run on the FTD to show the last day or days’ worth of IPS events. However, we can figure out if sensor is sending up-to-the-minute events to the FMC by logging into the FTD console and running these commands:

1. Connect to the FTD Management IP address using SSH or console connection. 

2. Issue the command expert 

3. Issue the command sudo su 

4. When prompted, enter your password. 

5. Issue the Command

Ls -lha /var/sf/detection_engines/221a35a4-6b7d-11eb-a196-4feda4364b2c/instance-1|grep bookmark

-rw——-  1 root    root    256 Sep 27 20:07 ids_forward.2ef35c00-4ef5-11eb-ba43-3be45e5cf8d0.bookmark

-rw——-  1 root    root    256 Sep 27 20:07 ids_forward.a4b236a4-af80-11e7-8fb9-67c1e83311a0.bookmark

-rw-r–r–  1 root    root     16 Sep 14 13:41 snort-unified.log.bookmark.consumer.SSEConnector

-rw-r–r–  1 root    root     23 Sep 27 20:04 ssl-certs-unified.log.bookmark.2ef35c00-4ef5-11eb-ba43-3be45e5cf8d0

-rw-r–r–  1 root    root     23 Sep 27 20:04 ssl-certs-unified.log.bookmark.a4b236a4-af80-11e7-8fb9-67c1e83311a0

-some output cut-

[email protected]:/home/admin#

…and now we see the current events which should correlate with your FMC…if not, restart your “sftunnel” with the following command from expert mode:

pmtool restartbyid sftunnel

Then check again, and if you still don’t have events, restart the sfdatacorrelator with the following commands:

[email protected]\\-Sourcefire3D:/var/sf/user_enforcement# -db mdb -e “select count(*) from rna_client_app_map;”


if that doesn’t work call Cisco, or upgrade to Palo Alto…no, just kidding! :).

Leave a Reply

Your email address will not be published. Required fields are marked *