Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


PIX Firewall with Surfcontrol Server: Illegal Traffic not Blocked

Posted on 2006-11-07
Medium Priority
Last Modified: 2013-11-16
I currently have a PIX 501 firewall connected to my ISP, and behind that I have 3 switches trunked off of each other with one connection back to the PIX. I mirrored a port on switch A where it connects to the PIX and my Win2003 SP1 Server (Surfcontrol Server 5.0) is the box receiving the mirrored info. This is also on switch A, along with the trunk to the next switch (B) and 15+ other host ports that are active on switch A. My problem is that all of the websites that are supposedly blocked are coming through, regardless of where that box is in the network; switch A, B or C.. I have enabled all of the surfcontrol rules and they are active, but nothing is actually being blocked, though the monitor (and real time monitor) show blockage . I've also uninstalled and reinstalled Surfcontrol with the same result. I would prefer to move the surfcontrol server to one of the PIX ports and mirror the Switch A connection to that new PIX port, but I can't find any commands to mirror or SPAN a port on a PIX.

 Can someone come up with a possible solution or direct me to my flaw...



PS. My Surfcontrol server has a secondary NIC that is a standard portfast fastE port (no mirroring) that I use to RDP into the box. Just thought I'd add this tidbit of info...
Question by:BigBro007
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +1
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 17896659
>I can't find any commands to mirror or SPAN a port on a PIX.
Sorry, but there isn't one. You can't span ports directly on the PIX.

Unfortunately, the PIX does not support SurfControl natively like it does N2H2 and Websense.
I don't know how Surfcontrol is supposed to work by connecting to a SPAN port... I know it can see all the traffic that way, but how does it prevent users from going there?
What kind of switches do you have? They need to support bi-directional SPAN. Many Cisco switches do not support this feature.

I would think that the surfcontrol server would have to be in direct line between the users and the firewall.
Have you seen this document from SurfControl?
LVL 10

Expert Comment

ID: 17897023
lrmoore is right , you are doing port mirroring and it doesn't work like port filtering.

your scenario will be.

Internet --->  Pix ----->> SurfControl Server ----->  rest of lan.


Author Comment

ID: 17902909
ANd I truly understand that.... I've seen the document, and it states to mirror a port on the switch (2950) which is mirroring both directions of traffic. The docuemtn doesn't state whether or not host devices  can be plugged into the switch or not. And per this docuement, the server doesn't have to be a true"in-band" solution. That would be more along the lines of an appliance that was transparent. Thisi is supposedly a "pass-by" filtering device that can sit "off-band" and provide the solution of blocking the sites...

Any other info?

Ps. Surfcontrol calls for port mirroring; not filtering on the switch - surfcontrol does the filtering...
Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

LVL 79

Expert Comment

ID: 17903032
> mirror a port on the switch (2950) which is mirroring both directions of traffic.
Ah, but the port is not bi-directional meaning that it's like a firehose letting Surfcontrol see all the traffic, but no traffic can be sent from the Server into that same interface. Too much coming out to let any in. Sort of like a tadpole trying to swim into the fire hydrant with the water on full blast..
From SPAN on 2950 documentation:
 The destination port has these characteristics:
   * The port does not transmit any traffic except that required for the SPAN session

Therefore, this does not meet the requirement for a bi-directional mirror port.


Expert Comment

ID: 17910373
Big Bro007,

I have a similar setup here. You need to review the documentation for you switch and be sure the port mirroring is bi-directional. By default the mirroring on alot of switches is not bi-directional.

I have all the clients on my network plugged into twenty NetGear Prosafe switches. One port on each switch plugs into another ProSafe switch (I call it my root switch), which also has my firewall and my SurfControl Webfilter server plugged into it. I bi-directionally mirrored (the option on the switch GUI is listed as Tx/Rx) the port the firewall is on to the port the SurfController is on it works great.

Before I had switches that could mirror ports, I had a small hub between my firewall and root switch that I plugged SurfController into which also worked (it was an old Linksys hub, I think the newer ones have Cisco switching technology in them so they wont work it has to be straight up broadcast style to all ports on the hub). That could work for you too, if you REALLY need to get it running ASAP.

So: check your switch documentation and get a new switch is needed, I wouldn't recommend what I did with the hub because that could seriously bottleneck your network if you are not careful!


P.S. I am jealous of your budget and 2950's!


Author Comment

ID: 17910868
From my 2950:

Session 1
Source Ports:
    RX Only:       None
    TX Only:       None
    Both:          Fa0/24
Destination Ports: Fa0/22

The port is monitoring in both directions; it just won't stop any clients even though there is a blocking statement active in the rule sets...

do you have any host on the "root switch" in your network? I have host on my "root switch" and was wondering if this is causing some problems...
LVL 79

Expert Comment

ID: 17910920
>Destination Ports: Fa0/22
This is the port connected to the SurfControl, yes?
It is *not* bi-directional.
Fa0/24 is connected to your firewall, yes?
traffic coming in Rx and going out Tx of that port is all mirrored to port fa0/22
SurfContrl sees everything
NOTHING can be sent out fa0/22, meaning that SurfControl cannot block anything.

Expert Comment

ID: 17939196

Yes, I have hosts on my root switch. That shouldn't matter. See lrmoore's comments. I think your switch is sending both recieved and transmitted packets from port 24 to port 22, but 22 is unable to send anything out.

Like I said you could always try a hub (w/o switching technology) or get a new switch that will allow the destination port in port-mirroring to transmit as well.


Author Comment

ID: 17943384
I now think I understand what you all are saying about being able to transmit on the port while receiving SPAN'd data. Does anyone know (before I google it) if the 2950's are capable of such a behavior?

Expert Comment

ID: 17948495

I *think* it might be possible based on the documentation which states:

"You can use the SPAN destination port to inject traffic from a network security device. For example, if you connect a Cisco Intrusion Detection System (IDS) Sensor Appliance to a destination port, the IDS device can send TCP Reset packets to close down the TCP session of a suspected attacker."


"The destination port does not transmit any traffic except that traffic required for the SPAN session unless "learning" is enabled. If learning is enabled, the port also transmits traffic directed to hosts that have been learned on the destination port."


Do you have a contact with Cisco TAC or a warranty on this piece of equipment? Give them a call and ask them for some configuration assistance for this feature.

Good Luck!


Author Comment

ID: 17949687
I actually re-read the cisco documentation this morning in regards to spanning the port. It looks as though I have to enable ingress on the actual destination port to allow me to send traffic out of the monitoring port... Im assuming that this is what they mean when they mention "...learning is enabled."

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Considering cloud tradeoffs and determining the right mix for your organization.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question