RE: pix firewall - failover and logging issues

[Scot Hartman <shartman () inflow com>]

I agree with Ken's summary of how the PIX handles the failover.

It uses the Serial connection for chasis information only and needs the LAN
connection if you want to make the HA stateful (not enough bandwidth
available via serial).  I typically use a dedicated crossover cable between
the firewalls for this.  

In the 6.2 code you now have the option to send the chassis information over
a LAN interface as well and ditch the serial cable.  You could use the same
interface the state information is going over.  I personally still run the
chasis information over the serial cable mostly because I have the serial
cable anyway and it'll still perform HA correctly even if one of the
state-link NICs dies.  But, hey, it's an option.

Make sure the firewall's can see each other at layer 2 on ALL interfaces.
They heartbeat all active interfaces on ip protocol 105.

For syslog, that's how we're logging via an inside interface.  They
currently only support a global logging level so you can't log a specific
line of your ACL that I've seen.  They're mentioning adding comments for
individual ACL lines in 6.3 so maybe logging per line is coming too.
Cranking the logging up doesn't seem to affect the firewall's CPU too bad,
but a busy firewall can sure hammer the inside link if you only have a small
pipe your trying to use to connect back to a central logging server ;) 

As for the level of code, upgrade it.  6.1(1) is definately out of date and
in need of changing...
http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml
and I seem to remember that version was vulnerable to an SNMP malformed
packet DOS, too.


Scot Hartman

"I love deadlines. I like the whooshing sound they make as they fly by."
    -  Douglas Adams



>   -----Original Message-----
>   From: Claussen, Ken [mailto:Ken () kccweb com]
>   Sent: Tuesday, February 04, 2003 5:37 PM
>   To: Luciano Z; firewall-wizards () honor icsalabs com
>   Subject: RE: [fw-wiz] pix firewall - failover and logging issues
>   
>   
>   The first answer is you are required to use LAN side 
>   failover communication to control the failover process. 
>   Each pair of interfaces must either be on the same dumb 
>   switch, a series of two switches with a crossover and a 
>   single VLAN, or a common VLAN on a layer 3 switch (not the 
>   best for security). In other words there must be 
>   communication between the corresponding network cards in 
>   the Primary and Standby units in order for Hello packets to 
>   be sent back and forth. When one of the Pixes fails to 
>   answer the Hello, the failover bundle begins a series of 
>   tests.  It determines if the network interface failed and 
>   if so it switches to the Secondary. It is important to make 
>   sure the interfaces are on a common network segment before 
>   configuring new subnets. The serial cable is used for 
>   sending the configuration and the control signals. When the 
>   primary determines it's interface has failed it passes 
>   control to the secondary. It is usually a good idea to 
>   disable Failover before making any changes which affect 
>   interface IP addresses. The command "Show Fail" will 
>   provide the current status of each interface on each Pix. 
>   Normal is good, other options may be Testing or Failed.  
>   About logging, Syslog is the way to go. Like previously 
>   mentioned Level 7 will provide all messages. Filtering of 
>   messages is best done at the syslog server. Kiwi provides a 
>   free Windows Syslog daemon www.kiwisyslog.com . If you 
>   purchase the full version it has an extensive filtering 
>   rule section. HTH. I have almost always logged at level 7 
>   and never seen significant performance degradation. SHOW 
>   CPU USAGE is an undocumented command to show utilization if 
>   you are concerned about performance.
>   
>   Ken Claussen MCSE(NT42K) CCNA CCA
>   "In Theory it should work as you describe, but the 
>   difference between theory and reality is the truth! For 
>   this we all strive"
>   
>   PS I Don't have my encoding set to UTF-8. It specifies 
>   Western European (windows) for Internet recipients.
>   
>   -----Original Message-----
>   From: Luciano Z [mailto:user_luciano () yahoo com br] 
>   Sent: Tuesday, January 28, 2003 2:03 PM
>   To: firewall-wizards () honor icsalabs com
>   Subject: [fw-wiz] pix firewall - failover and logging issues
>   
>   
>   
>   Hi!
>   
>   I have two questions about pix firewall for the list.
>   
>   The first one is directed to failover users. I´m using
>   a pix with version 6.1(1) software and with stateful
>   failover (I think this version needs update, right?).
>   From time to time I experiment lost of ssh connection
>   to the active pix because it have changed from active
>   state to standby state. I couldn´t find the reason for
>   this because we just checked the cables and it was
>   operating well before I create another subnet attached
>   to this firewall, changing the address of and unused
>   interface.
>   
>   In this situation I´m not using LAN based failover
>   (this version doesn´t support it) so the I have the
>   serial cable in place. Someone had some problem that
>   looks like my? Is it possible to start looging to the
>   syslog server just the messages related to failover
>   events?
>   
>   Second question, this is about logging of URL access.
>   I´ve read the pix could log the URLs accessed by the
>   users on a protected network. My question is about the 
>   performace impact of this feature. Anybody used this? What 
>   was the impression about it? And again: Is it possible to 
>   log just the events related to this?
>   
>   Well, thanks for your time!
>   
>   []
>   Luciano
>   
>   ____________________________________________________________
>   ___________
>   Busca Yahoo!
>   O serviço de busca mais completo da Internet. O que você 
>   pensar o Yahoo! encontra. http://br.busca.yahoo.com/ 
>   _______________________________________________
>   firewall-wizards mailing list firewall-wizards () honor icsalabs com
>   http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>   _______________________________________________
>   firewall-wizards mailing list
>   firewall-wizards () honor icsalabs com
>   http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>   
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards