Cisco Firepower - Device Rule Issues Troubleshooting Tips

Cisco Firepower - Device Rule Issues Troubleshooting Tips

Case 1:
Device rule add failed because of read-only user credentials.

How to confirm:
Method 1:
  1. Please login device using putty console,
  2. Copy and paste below commands in putty console:
    1. show access-list
    2. show running-config
    3. show startup-config
  3. If those command pasted without space case we can confirm read-only user:
    1. showaccess-list
    2. showrunning-config
    3. showstartup-config

Method 2:
  1. Open "OpManager\logs\opm\nmsout_0.txt" file in notepad++ tool,
  2. Find "CLISession syncSend(): Writing the message:" content and command,
    1. 16:24:30:212]|[01-20-2020]|[com.adventnet.opmanager.nmsout]|[INFO]|[155]: CLISession syncSend(): Writing the message: show running-config
  3. after that check "CLISession syncSend(): Got the response" content with command,
    1. [16:27:31:245]|[01-20-2020]|[com.adventnet.opmanager.nmsout]|[INFO]|[155]: CLISession syncSend(): Got the response showrunning-config
  4. If the response command not contains space value casewe can confirm read-only user.

Solution:
  1. Ask customer to use other admin user credential for device rule add.


Case 2:
Device rule add failed because of read-only user credentials.

How to confirm:
  1. Please login device using putty console,
  2. Execute below commands in putty console:
    1. show access-list
    2. show running-config
    3. show startup-config
  3. If "show access-list", "show running-config" and "show startup-config" command execution failed or no data cases, please execute "connect ftd" command, then execute the same commands again:
    1. show access-list
    2. show running-config
    3. show startup-config
  4. If "show access-list", "show running-config" and "show startup-config" command execution again failed or no data cases, please execute "system support diagnostic cli" command, then execute the same commands again:
    1. show access-list
    2. show running-config
    3. show startup-config
  5. If "show access-list", "show running-config" and "show startup-config" command success cases copy that command.

Solution:
In 124179 build or newer build customers:
  1. Go to "Settings" > "Firewall Analyzer" > "Device Rule" page,
  2. Delete the failed device if exists cases,
  3. Add device rule provide all mandatory values,
  4. Then select "Addition" option in device rule page and provide copied success command or provide below command in "Pre Execution Command" field,
    1. connect ftd, system support diagnostic cli
  5. Check with customer if enable command  available in customer setup for given user credentials, if yes cases please ask customer to provide enable command value in "Enable Command" field.
  6. Then add device rule and check the status.

In 124178 build or older build customers:
  1. Go to "Settings" > "Firewall Analyzer" > "Device Rule" page,
  2. Delete the failed device if exists cases,
  3. Add device rule provide all mandatory values,
  4. Then select "Addition" option in device rule page and provide copied success command or provide below command in "Enable Command" field,
  5. Check with customer if any other enable command available in customer setup for given user credentials, if yes cases please ask customer to migrate 124179 build or newer builds and follow another steps.
  6. else cases, add device rule and check the status.






          • Related Articles

          • Checkpoint Device rule - Troubleshooting Tips

            API - failed case analyze: Download curl tool and extract the downloaded zip file in FWA installed machine (https://curl.haxx.se/download.html) - (only for Windows machine, curl tool by default bundled in linux machines) Go to "AMD64" folder in ...
          • Paloalto & sonicwall configuration export command for troubleshooting when device rule fails

            SCP user name - deviceexpert Password - SCPDeviceExpert Paloalto Command: scp export configuration remote-port 22 source-ip <FIREWALL IP> from running-config.xml to <scp server user name>@<Firewall anayzer Ip>:<file name with xml extension> Replace ...
          • Cisco log id's used for Log reporting based on reports

            Suggest customer to enable logging for below logid. VPN  PTP :  603104,603106,603105,603108,603109,602301,602302, Remote client : 113009,734001,713228,113019,113014-113017,113005,109005,109006, Web vpn ...
          • How to Export Backup configuration from the Firewall Analyzer Web-UI

            Please navigate to Settings-->Firewall Server-->Device Rule-->Click the Export Configuration button-->The backup file will be saved under ManageEngine/OpManager/server/Config data/ResourceId/device vendor_configuration.txt (For Windows) /opt/ ...
          • Sophos XG API - Troubleshoot Dcoument

            How to enable API: Go to Authentication > Users to create a new user for the API call. The user type will need to be Administrator and its profile will require read/write permissions. This API user is optional, its purpose is to lock the user down to ...