How do I monitor the activity on my PIX 501

Hello Experts,

I would like to know how to monitor what is being denied and allowed through my PIX 501 firewall.  I need to be more proactive about detecting network attacks and/or malicious activity hitting my network.

I have a PIX 501 firewall protecting a SBS 2003 server network.

I know enough about the PIX to get it configured and running with VPNs, basic access lists, and static statements, but that's about it.

Please help me understand how to monitor this device.  I would like a solution that is manageable as I cannot dedicate my efforts to 24/7 network monitoring.  I'm a one man shop.

Thanks in advance for your help!

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Configure logging on the PIX and get the Kiwi Syslog Monitor (Free) from the net. Install the kiwi on a machine in your network and have PIX forward all the logging to this server. Done.

logging on
logging host <hostipwherekiwiisinstalled>

Once you play around with this, you can make it more appropriate based on the data you get.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jamie177Author Commented:
Thanks Rajesh!

I'll get this going and report back how it goes.


Sure. If you also interested in seeing traffic patterns, you can use MRTG or PRTG and it works well (MRTG is free)

Defend Against the Q2 Top Security Threats

Were you aware that overall malware worldwide was down a surprising 42% from Q1'18? Every quarter, the WatchGuard Threat Lab releases an Internet Security Report that analyzes the top threat trends impacting companies worldwide. Learn more by viewing our on-demand webinar today!

Keith AlabasterEnterprise ArchitectCommented:
Just as an aside, bear in mind that the logging will have an impact (potentially) on performance so don't forget to switch it off in due course.
jamie177Author Commented:
Thanks for thei input Keith.

Is there a way to monitor the system without impacting the performance?  We are a pretty low throughput shop, so I don't see that it will be an impact by leaving it on.

The point of monitoring would be to be proactive about network attacks and traffic patterns.  Keith you make it sound like logging is for troubleshooting issues, then you turn it off.

I'm a newbie at this stuff so by all means please educate me.


Keith AlabasterEnterprise ArchitectCommented:
Don't count this towards your answer as Rajesh has already given you that. this is simply as you have asked.

Yes, that is the predominant reason for logging; troubleshooting. devices such as PIX are designed to spend all of their resources such as memory, cpu etc on routing traffic through the correct interfaces subject to the meeting of the criteria set within the ACL's they are configured with. by switching on logging, that memory now has to process every packet that enters and leaves, store it (for the statistics), decide if it needs to keep it or do something with it etc. Logging can be set at differing levels from just critical conditions right the way through informational. The higher, more detailed the level, the greater the overhead to the PIX. A PIX 501 whilst a brilliant little unit does not have a great deal of memory to start with.... That said, if you have a very low useage requirement, you will likely be fine.

Conversely, products such as PRTG/MRTG and the like are running on seperate boxes with their own CPU/memory so they carry the processing overhead. All the PIX has to do is to respond to the SNMP requests. this is still an overhead to the PIX but far less than logging does.

I'm sure rajesh will back me up on this, he is the Cisco man; I'm ISA Server man ... lol

Lol :-) I sure agree Keith. It really depends on whether your PIX can take it or not? Keith's point was rather like if you are gonna use it continously then make sure your PIX is not 'sad' about it.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.