Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Not getting all our denied logs from Cisco FWSM

From: Jason Gervia <jgervia () nc rr com>
Date: Wed, 06 Sep 2006 22:05:35 -0400
Kim Cary wrote:

While we're slogging through the beauracracy and shell game of our  
TAC case at Cisco, I thought I'd ask the list whether any of you have  
seen intermittent failures to send 106100 'denied' log entries from  
your FWSM. We're on 2.3(3). As it turns out, these entries our  
important to our operations and we're only getting about 10% of them.

We don't seem to be able to get around the deny-flow-max default of  
4096. One would think that when those flows are exceeded, you would  
just get the messages logged, wouldn't you? Am I missing something,  
or is the firewall just throwing these away. We don't want it to do  
that!!

I know Cisco is trying to not pass along a DOS here, but is there any  
way to get them to STOP holding my hand and just send the logs?

The really annoying thing is, we get 100% of our 'permitted' 106100,  
so I guess if someone is DOS-ing an open port they can get our syslog  
server 'dos-ed' too.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


  

Kim,

That's truly annoying - Cisco makes a lot of presumptions, security 
wise, on how things 'should' work to be secure.

That being said - a quick review of the deny-flow-max says that it 
tracks those flows (4096 max) over the log interval specified in your 
access list, so really you should consider it as a deny-flow-max of 4096 
messages / 5 minutes (log interval 300), if you are using the defaults.  
In theory, you could squeeze some more 106100 messages out of your 
firewall by decreasing the log interval on your deny statements in your 
access-list - there's bound to be some dead time when the firewall is 
tracking the deny flow but no packets are hitting that flow and it's 
just taking a spot that could be cleared for tracking a different deny 
flow. I suppose, in theory, you could set the interval to 1 and get a 
deny message for almost every single packet, but I hesitate to guess 
what that would do to your firewall and your logging infrastructure.  :)

Let us know if Cisco comes up with anything for you on getting around 
the deny-flow-max of 4096. 

I hope this helps!

--Jason



_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: