Deciding how to configure the Access Control List logging on your Firepower Threat Defense firewall can be confusing. The Cisco configuration guide on connection logging is clear and straightforward
2 Quick Cisco Firepower Access Control List logging best practices.
- Log at the End of Connection Events for Allowed traffic and beginning of connection event for Blocked traffic.
You gather much more connection and event data when you log at the end of connection. Logging at the beginning of connection will have you logs looking have done and feeble
- You cannot log TCP connections unless the three way handshake is is completed.
You cannot log:
TCP connections if the three-way handshake is not completed.
These connections are not logged as doing so would provide an opportunity for a denial-of-service attack against your Firepower deployment.Firepower Management Center Configuration Guide, Version 6.2
Use the Packet Tracer against the suspected interface to find dropped traffic.