Firewall Wizards mailing list archives
RE: pix firewall - failover and logging issues
From: Scot Hartman <shartman () inflow com>
Date: Tue, 4 Feb 2003 19:21:38 -0700
I agree with Ken's summary of how the PIX handles the failover. It uses the Serial connection for chasis information only and needs the LAN connection if you want to make the HA stateful (not enough bandwidth available via serial). I typically use a dedicated crossover cable between the firewalls for this. In the 6.2 code you now have the option to send the chassis information over a LAN interface as well and ditch the serial cable. You could use the same interface the state information is going over. I personally still run the chasis information over the serial cable mostly because I have the serial cable anyway and it'll still perform HA correctly even if one of the state-link NICs dies. But, hey, it's an option. Make sure the firewall's can see each other at layer 2 on ALL interfaces. They heartbeat all active interfaces on ip protocol 105. For syslog, that's how we're logging via an inside interface. They currently only support a global logging level so you can't log a specific line of your ACL that I've seen. They're mentioning adding comments for individual ACL lines in 6.3 so maybe logging per line is coming too. Cranking the logging up doesn't seem to affect the firewall's CPU too bad, but a busy firewall can sure hammer the inside link if you only have a small pipe your trying to use to connect back to a central logging server ;) As for the level of code, upgrade it. 6.1(1) is definately out of date and in need of changing... http://www.cisco.com/warp/public/707/pix-multiple-vuln-pub.shtml and I seem to remember that version was vulnerable to an SNMP malformed packet DOS, too. Scot Hartman "I love deadlines. I like the whooshing sound they make as they fly by." - Douglas Adams
-----Original Message----- From: Claussen, Ken [mailto:Ken () kccweb com] Sent: Tuesday, February 04, 2003 5:37 PM To: Luciano Z; firewall-wizards () honor icsalabs com Subject: RE: [fw-wiz] pix firewall - failover and logging issues The first answer is you are required to use LAN side failover communication to control the failover process. Each pair of interfaces must either be on the same dumb switch, a series of two switches with a crossover and a single VLAN, or a common VLAN on a layer 3 switch (not the best for security). In other words there must be communication between the corresponding network cards in the Primary and Standby units in order for Hello packets to be sent back and forth. When one of the Pixes fails to answer the Hello, the failover bundle begins a series of tests. It determines if the network interface failed and if so it switches to the Secondary. It is important to make sure the interfaces are on a common network segment before configuring new subnets. The serial cable is used for sending the configuration and the control signals. When the primary determines it's interface has failed it passes control to the secondary. It is usually a good idea to disable Failover before making any changes which affect interface IP addresses. The command "Show Fail" will provide the current status of each interface on each Pix. Normal is good, other options may be Testing or Failed. About logging, Syslog is the way to go. Like previously mentioned Level 7 will provide all messages. Filtering of messages is best done at the syslog server. Kiwi provides a free Windows Syslog daemon www.kiwisyslog.com . If you purchase the full version it has an extensive filtering rule section. HTH. I have almost always logged at level 7 and never seen significant performance degradation. SHOW CPU USAGE is an undocumented command to show utilization if you are concerned about performance. Ken Claussen MCSE(NT42K) CCNA CCA "In Theory it should work as you describe, but the difference between theory and reality is the truth! For this we all strive" PS I Don't have my encoding set to UTF-8. It specifies Western European (windows) for Internet recipients. -----Original Message----- From: Luciano Z [mailto:user_luciano () yahoo com br] Sent: Tuesday, January 28, 2003 2:03 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] pix firewall - failover and logging issues Hi! I have two questions about pix firewall for the list. The first one is directed to failover users. I´m using a pix with version 6.1(1) software and with stateful failover (I think this version needs update, right?). From time to time I experiment lost of ssh connection to the active pix because it have changed from active state to standby state. I couldn´t find the reason for this because we just checked the cables and it was operating well before I create another subnet attached to this firewall, changing the address of and unused interface. In this situation I´m not using LAN based failover (this version doesn´t support it) so the I have the serial cable in place. Someone had some problem that looks like my? Is it possible to start looging to the syslog server just the messages related to failover events? Second question, this is about logging of URL access. I´ve read the pix could log the URLs accessed by the users on a protected network. My question is about the performace impact of this feature. Anybody used this? What was the impression about it? And again: Is it possible to log just the events related to this? Well, thanks for your time! [] Luciano ____________________________________________________________ ___________ Busca Yahoo! O serviço de busca mais completo da Internet. O que você pensar o Yahoo! encontra. http://br.busca.yahoo.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 04)
- <Possible follow-ups>
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 05)
- RE: pix firewall - failover and logging issues Luciano Z (Feb 05)
- RE: pix firewall - failover and logging issues Claussen, Ken (Feb 05)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)
- RE: pix firewall - failover and logging issues Scot Hartman (Feb 06)
- RE: pix firewall - failover and logging issues Symon Thurlow (Feb 06)