andreacadia
asked on
Tracking source packets on PIX
I have implemented an access list on my PIX firewall to only allow outbound traffic to port 25 ONLY from my email server in an effort to stop a workstation(s) that may be affected with an email virus/worm.
access-list outbound permit tcp host x.x.x.x any eq 25
access-list outbound deny tcp any any eq 25
access-list outbound permit ip any any
What is the best way to tell on the PIX side if excessive port 25 traffic is being denied from a particular host?
access-list outbound permit tcp host x.x.x.x any eq 25
access-list outbound deny tcp any any eq 25
access-list outbound permit ip any any
What is the best way to tell on the PIX side if excessive port 25 traffic is being denied from a particular host?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the syslog daemon does not appear to be receiving any traps.
did you set a trap level?
logg trap 7
Any firewall software on your syslog workstation?
logg trap 7
Any firewall software on your syslog workstation?
ASKER
executing the above command seems to have worked. does this create excessive overhead on the PIX. Also, i am seeing a lot of traffic being logged instantly. We should only be logging traffic that is being denied on port 25 correct?
You will see lots of stuff being logged regardless.
No, it is not too much overhead for the pix to handle.
You can create filters on the kiwi syslog console to only see what you want.
You can also look at the hitcounters on the acceess-list "show access-list" from the pix command line.
No, it is not too much overhead for the pix to handle.
You can create filters on the kiwi syslog console to only see what you want.
You can also look at the hitcounters on the acceess-list "show access-list" from the pix command line.
ASKER