Cisco Firepower Access Control List Best Practices: Logging
Deciding how to configure the Access Control List logging on your Firepower Threat Defense firewall can be confusing. The Cisco configuration guide on connection logging is clear and straightforward
2 Quick Cisco Firepower Access Control List logging best practices.
- Log at the End of Connection Events for Allowed traffic and beginning of connection event for Blocked traffic.
If you have a choice between beginning and end-of-connection logging, enable end-of-connection logging. This is because end-of-connection logs information from beginning-of-connection events, as well as information gathered over the duration of the session.
Firepower Management Center Configuration Guide, Version 6.2
You gather much more connection and event data when you log at the end of connection. Logging at the beginning of connection will have you logs looking have done and feeble
- You cannot log TCP connections unless the three way handshake is is completed.
You cannot log:
TCP connections if the three-way handshake is not completed.
These connections are not logged as doing so would provide an opportunity for a denial-of-service attack against your Firepower deployment.
Firepower Management Center Configuration Guide, Version 6.2
Use the Packet Tracer against the suspected interface to find dropped traffic.