Cisco Firepower - Device Rule Issues Troubleshooting Tips
Case 1:
Device rule add failed because of read-only user credentials.
How to confirm:
Method 1:
- Please login device using putty console,
- Copy and paste below commands in putty console:
- show access-list
- show running-config
- show startup-config
- If those command pasted without space case we can confirm read-only user:
- showaccess-list
- showrunning-config
- showstartup-config
Method 2:
- Open "OpManager\logs\opm\nmsout_0.txt" file in notepad++ tool,
- Find "CLISession syncSend(): Writing the message:" content and command,
- 16:24:30:212]|[01-20-2020]|[com.adventnet.opmanager.nmsout]|[INFO]|[155]: CLISession syncSend(): Writing the message: show running-config
- after that check "CLISession syncSend(): Got the response" content with command,
- [16:27:31:245]|[01-20-2020]|[com.adventnet.opmanager.nmsout]|[INFO]|[155]: CLISession syncSend(): Got the response showrunning-config
- If the response command not contains space value casewe can confirm read-only user.
Solution:
- Ask customer to use other admin user credential for device rule add.
Device rule add failed because of read-only user credentials.
How to confirm:
- Please login device using putty console,
- Execute below commands in putty console:
- show access-list
- show running-config
- show startup-config
- If "show access-list", "show running-config" and "show startup-config" command execution failed or no data cases, please execute "connect ftd" command, then execute the same commands again:
- show access-list
- show running-config
- show startup-config
- If "show access-list", "show running-config" and "show startup-config"
command execution again failed or no data cases, please execute "system support diagnostic cli" command, then execute the same commands again:
- show access-list
- show running-config
- show startup-config
- If "show access-list", "show running-config" and "show startup-config"
command success cases copy that command.
Solution:
In 124179 build or newer build customers:
- Go to "Settings" > "Firewall Analyzer" > "Device Rule" page,
- Delete the failed device if exists cases,
- Add device rule provide all mandatory values,
- Then select "Addition" option in device rule page and provide copied success command or provide below command in "Pre Execution Command" field,
- connect ftd, system support diagnostic cli
- Check with customer if enable command available in customer setup for given user credentials, if yes cases please ask customer to provide enable command value in "Enable Command" field.
- Then add device rule and check the status.
In 124178 build or older build customers:
- Go to "Settings" > "Firewall Analyzer" > "Device Rule" page,
- Delete the failed device if exists cases,
- Add device rule provide all mandatory values,
- Then
select "Addition" option in device rule page and provide copied success
command or provide below command in "Enable Command" field,
- Check
with customer if any other enable command available in customer setup for given
user credentials, if yes cases please ask customer to migrate 124179 build or newer builds and follow another steps.
- else cases, add device rule and check the status.
New to ADSelfService Plus?
Related Articles
Checkpoint Device rule - Troubleshooting Tips
API - failed case analyze: Download curl tool and extract the downloaded zip file in FWA installed machine (https://curl.haxx.se/download.html) - (only for Windows machine, curl tool by default bundled in linux machines) Go to "AMD64" folder in ...
Paloalto & sonicwall configuration export command for troubleshooting when device rule fails
SCP user name - deviceexpert Password - SCPDeviceExpert Paloalto Command: scp export configuration remote-port 22 source-ip <FIREWALL IP> from running-config.xml to <scp server user name>@<Firewall anayzer Ip>:<file name with xml extension> Replace ...
Cisco log id's used for Log reporting based on reports
Suggest customer to enable logging for below logid. VPN PTP : 603104,603106,603105,603108,603109,602301,602302, Remote client : 113009,734001,713228,113019,113014-113017,113005,109005,109006, Web vpn ...
How to Export Backup configuration from the Firewall Analyzer Web-UI
Please navigate to Settings-->Firewall Server-->Device Rule-->Click the Export Configuration button-->The backup file will be saved under ManageEngine/OpManager/server/Config data/ResourceId/device vendor_configuration.txt (For Windows) /opt/ ...
Sophos XG API - Troubleshoot Dcoument
Notes: Before checking API access, please confirm that the password contains special characters other than those listed below: @ ! # $ ^ ( * } { ) - = , . / ? | ] [ Since the Sophos XG XML API does not support other special character values, we have ...