Symptom
FDM: Default Action's logging doesn't reflect on LINA side
Conditions
Only when FTD is being managed locally (FDM)
Workaround
Create a manual block rule in ACP at the very end with logging enabled.
Another work-around: make sure when editing log-action on default-action, always make a default rule-action change as well:
To achieve default rule-action=DENY and log-action=LOG_BOTH:
1. change default rule-action=PERMIT and log-action=LOG_BOTH, deploy;
2. change default rule-action=DENY and log-action=LOB_BOTH, deploy
Further Problem Description
LINA:
vFDM66# show access-l
access-list NGFW_ONBOX_ACL line 5 remark rule-id 1: L5 RULE: DefaultActionRule
access-list NGFW_ONBOX_ACL line 6 advanced deny ip any any rule-id 1 (hitcnt=0) 0x84953cae
Snort:
root@vFDM66:/ngfw/var/sf/detection_engines/f4ef4514-7939-11ea-99e9-b55da040a428# cat ngfw.rules
iab_mode Off
1 deny any any any any any any any any (log dcforward both)
# End rule 1
# End of AC rule.
root@vFDM66:/ngfw/var/sf/detection_engines/f4ef4514-7939-11ea-99e9-b55da040a428#
Because of this, we don't see live event for default deny on FDM & since LINA drops it no logging is enabled, events are not sent to SYSLOG too.
