RE: pix 501 logging question

["Paul Melson" <psmelson () comcast net>]

Nate,

> From what I can see, you have your access-list configured correctly.  What
do your logging commands look like?  What version of PIX OS are you running?
The only thing I can think of off the top of my head is that you're not
seeing messages because the default interval (300s) is longer than you
anticipate.  You could modify that line of your config to use a smaller
interval and see if it makes a difference:

access-list inbound deny ip any any log 4 interval 10

Then your flows for that line would only last for 10s (but who cares since
it's a deny, right?), which would lead to more syslog data from persistent
dropped traffic, but make dropped traffic more 'visible.'  Also, the default
log level for access-list logging is 6, but if you can see one you should
see them all, so I doubt that's an issue.

You don't need to force the PIX to log these denials, though.  Packets that
are blocked by access-list are logged by default.  If you're using 'no
logging message' and then turning specific messages back on as a way of
filtering syslog data, then you will need to issue 'logging message 106023
level 4' (or whatever level is being sent to your syslog server) to see
these messages.  If you're filtering at the syslog server, then you're
probably getting these messages and will need to adjust your parsing as
appropriate to see them.

I recommend sticking with the default PIX syslog ID in your messages,
especially if they may end up going through a log analyzer like Sawmill or
eIQ.  Many of these programs (even some of the free Perl scripts) rely on
the message number to determine what kind of activity they're looking at.
Since 106100 is a generic syslog ID that corresponds to the 'access-list
log' command, your data would probably be off as a result.

PaulM

-----Original Message-----
Subject: [fw-wiz] pix 501 logging question

Wizards,

I need some clarification on logging via syslog with a PIX-501 running
6.3.(3). 

I have an ACL called "inbound" bound to the outside interface.
When I append the following rule to "inbound", for some reason unsolicited
traffic isn't logged:

   access-list inbound deny ip any any log 4

The other elements which permit traffic seem to work as advertised. 
For example, I have this rule to permit access to my mail servers:

   access-list inbound permit tcp any object-group mx_hosts eq smtp log 4

and connections are logged to syslog that look like this:

Mar  2 12:47:14 192.xxx.xxx.xxx Mar 02 2005 12:47:14: %PIX-4-106100:
access-list inbound permitted tcp outside/205.206.xxx.xxx(27652) ->
inside/66.91.xxx.xxx(25) hit-cnt 2 (300-second interval)

Any suggestions on how to properly configure the PIX to log unsolicited
tcp/ucp/icmp traffic on the outside (security0) interface?  I would like to
see PIX-4-106100 messages for the denied traffic.


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards