Solved

Logging allowed/blocked traffic on Cisco ASA Firewall

Posted on 2014-09-29
3
3,518 Views
Last Modified: 2014-10-28
When you enable logging on a global access rule on a cisco ASA firewall, you should see all traffic that is matching the rule in the logs, or are there any limitations? (for example, for blocked/allowed traffic or for traffic destined to the firewall itself)

I Added a test rule (rule 1 in rule base) on our ASA and I Telnet to a random destination port to the IP address of the firewall's interface, but I cannot see tha traffic in logs. I Also tried to filter the logs using the rule ID, but I dont see anything. However, I can see the packets when I do a packet capture. am I missing something?

thanks,
0
Comment
Question by:Harrris
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Johneil1
ID: 40351363
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40351390
Good to check these out

Access List Activity Logging - http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=3

Here are rules of thumb to follow when choosing a severity level:
If only firewall error conditions should be recorded and no one will regularly view the message logs, choose severity level 3 (errors).
If you are primarily interested in seeing how traffic is being filtered by the firewall access lists, choose severity level 4 (warnings).
If you need an audit trail of firewall users and their activity, choose severity level 5 (notifications).
If you will be using a firewall log analysis application, you should choose severity level 6 (informational). This is the only level that produces messages about connections that are created, as well as the time and data volume usage.
If you need to use any debug command to troubleshoot something on the firewall, choose a destination with severity level 7 (debugging). You can use the logging debug-trace command to force debug output to be sent to a logging destination for later review. All Syslog messages containing debug output use message ID 711001 at a default severity level of 7.

By default, logging message 106023 (default severity level 4, warnings) is generated when a deny access list entry is matched with a traffic flow. Only the overall ACL is listed in the message, with no reference to the actual denying ACL entry

Each unique traffic flow that is denied by an ACE configured for logging is added to a cached list of tracked flows. This usually isn't a problem unless something like a denial-of-service attack causes a very large number of flows to be denied and tracked.

The firewall limits the maximum number of denied flows it tracks. By default, the maximum number is based on the available firewall memory: 4096 (64 MB or more), 1024 (16 MB or more), or 256 (less than 16 MB).

You can change this to a lower maximum number of flows by specifying n (1 to the default maximum). When the maximum number of tracked flows is reached, the firewall generates logging message 106101. By default, this message is limited to appearing only every 300 seconds (5 minutes). You can change the alert interval to seconds (1 to 3600 seconds).

in summary, when you enable logging, if a packet matches the access rule, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a system log message at the first hit and at the end of each interval, identifying the total number of hits during the interval and reporting the time of the last hit.

The ASApane displays the hit count information in the “last rule hit” row. To view the rule hit count and timestamp, chooseConfiguration > Firewall > Advanced > ACL Manager, and hover the mouse pointer over a cell in the ACL Manager table.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/access_rules.html#pgfId-1274679
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 40408374
very well put btan.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now