Solved

Logging allowed/blocked traffic on Cisco ASA Firewall

Posted on 2014-09-29
3
4,418 Views
Last Modified: 2014-10-28
When you enable logging on a global access rule on a cisco ASA firewall, you should see all traffic that is matching the rule in the logs, or are there any limitations? (for example, for blocked/allowed traffic or for traffic destined to the firewall itself)

I Added a test rule (rule 1 in rule base) on our ASA and I Telnet to a random destination port to the IP address of the firewall's interface, but I cannot see tha traffic in logs. I Also tried to filter the logs using the rule ID, but I dont see anything. However, I can see the packets when I do a packet capture. am I missing something?

thanks,
0
Comment
Question by:Harrris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 3

Expert Comment

by:Johneil1
ID: 40351363
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 40351390
Good to check these out

Access List Activity Logging - http://www.ciscopress.com/articles/article.asp?p=424447&seqNum=3

Here are rules of thumb to follow when choosing a severity level:
If only firewall error conditions should be recorded and no one will regularly view the message logs, choose severity level 3 (errors).
If you are primarily interested in seeing how traffic is being filtered by the firewall access lists, choose severity level 4 (warnings).
If you need an audit trail of firewall users and their activity, choose severity level 5 (notifications).
If you will be using a firewall log analysis application, you should choose severity level 6 (informational). This is the only level that produces messages about connections that are created, as well as the time and data volume usage.
If you need to use any debug command to troubleshoot something on the firewall, choose a destination with severity level 7 (debugging). You can use the logging debug-trace command to force debug output to be sent to a logging destination for later review. All Syslog messages containing debug output use message ID 711001 at a default severity level of 7.

By default, logging message 106023 (default severity level 4, warnings) is generated when a deny access list entry is matched with a traffic flow. Only the overall ACL is listed in the message, with no reference to the actual denying ACL entry

Each unique traffic flow that is denied by an ACE configured for logging is added to a cached list of tracked flows. This usually isn't a problem unless something like a denial-of-service attack causes a very large number of flows to be denied and tracked.

The firewall limits the maximum number of denied flows it tracks. By default, the maximum number is based on the available firewall memory: 4096 (64 MB or more), 1024 (16 MB or more), or 256 (less than 16 MB).

You can change this to a lower maximum number of flows by specifying n (1 to the default maximum). When the maximum number of tracked flows is reached, the firewall generates logging message 106101. By default, this message is limited to appearing only every 300 seconds (5 minutes). You can change the alert interval to seconds (1 to 3600 seconds).

in summary, when you enable logging, if a packet matches the access rule, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a system log message at the first hit and at the end of each interval, identifying the total number of hits during the interval and reporting the time of the last hit.

The ASApane displays the hit count information in the “last rule hit” row. To view the rule hit count and timestamp, chooseConfiguration > Firewall > Advanced > ACL Manager, and hover the mouse pointer over a cell in the ACL Manager table.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/firewall/asdm_71_firewall_config/access_rules.html#pgfId-1274679
0
 
LVL 3

Expert Comment

by:Johneil1
ID: 40408374
very well put btan.
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VTP servers with 3650 switches 5 46
Change name on 7940 Cisco UM 10 68
Bizarre IP Address / Port Blocking Windows 7 13 60
TCP Reset from Server 3 37
Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question