You can use the system support firewall-engine-debug command in a Cisco FirePower device in order to debug the traffic that hits your FMC policy rules. This is the equivalent of packet-tracer command in a Cisco ASA Firewall. You can also narrow down the debug using the client (source) and server (destination) protocol, ports and IP address.
> system
access-control Change to Access-Control Mode
disable-http-user-cert Disable HTTP User Cert
file Change to File Mode
generate-troubleshoot Run troubleshoot
ldapsearch Test LDAP configuration
lockdown-sensor Remove access to bash shell
reboot Reboot the sensor
stig-compliance STIG Compliance setting
support Change to System Support Mode - Only do thiif directed by Support.
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firell debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
fstab Display the file systems table
iptables Display IP packet filter res
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune pects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support firewall-engine-debug
Please specify an IP protocol: tcp
Please specify a client IP address: 172.16.37.2
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring firewall engine debug messages
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 New session
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, svc 0, payload 0, client 0, misc 0, user 1843, url
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 match rule order 1, 'TEST', action stpath
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 allow action
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, svc -1, payload -1, client -1, misc -1, user 2547, url
Hit Ctrl+C to stop the debug in FirePower.
Caught interrupt signal
Exiting.
>
> system
access-control Change to Access-Control Mode
disable-http-user-cert Disable HTTP User Cert
file Change to File Mode
generate-troubleshoot Run troubleshoot
ldapsearch Test LDAP configuration
lockdown-sensor Remove access to bash shell
reboot Reboot the sensor
stig-compliance STIG Compliance setting
support Change to System Support Mode - Only do thiif directed by Support.
> system support
application-identification-debug Generate application identification debug messages
bootloader Display bootloader information
capture-traffic Display traffic or save to specified file
debug-DAQ Debug for DAQ functionality
debug-DAQ-reset Reset DAQ debug configuration file
dump-table Dump specified database tables to common file repository
eotool Change to Enterprise Object Tool Mode
file-malware-debug Generate file malware debug messages
firewall-engine-debug Generate firell debug messages
firewall-engine-dump-user-identity-data Generate a file containing the current state of user identity within the firewall
fstab Display the file systems table
iptables Display IP packet filter res
network-options Display network options
nslookup Look up an IP address or host name with the DNS servers
ntp Show NTP configuration
partitions Display partition information
pigtail Tail log files for debugging (pigtail)
ping Ping a host to check reachability
platform Display platform information
pmtool Change to PMTool Mode
repair-table Repair specified database tables
rpms Display RPM information
run-rule-profiling Run Rule Profiling
scsi Show SI device information
set-arc-mode Set the Automatic Resource Configuration optimization mode
sftunnel-status Show sftunnel status
show-arc-mode Show the Automatic Resource Configuration optimization mode value
silo-drain Assists with Disk Management
ssl-debug Debugging for SSL functionality
ssl-debug-reset Reset SSL Debug configuration file
ssl-tuning Tune pects of SSL functionality
ssl-tuning-reset Reset SSL Tuning configuration file
swap Display swap information
tail-logs Tails the logs selected by the user
traceroute Find route to remote network
utilization Display current system utilization
view-files View files in the system
> system support firewall-engine-debug
Please specify an IP protocol: tcp
Please specify a client IP address: 172.16.37.2
Please specify a client port:
Please specify a server IP address:
Please specify a server port:
Monitoring firewall engine debug messages
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 New session
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, svc 0, payload 0, client 0, misc 0, user 1843, url
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 match rule order 1, 'TEST', action stpath
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 allow action
172.16.37.2-64016 > 76.13.28.196-443 6 AS 0 I 0 Starting with minimum 0, id 0 and SrcZone first with zones -1 -> -1, geo 0 -> 0, vlan 0, svc -1, payload -1, client -1, misc -1, user 2547, url
Hit Ctrl+C to stop the debug in FirePower.
Caught interrupt signal
Exiting.
>
