topic Re: No syslog blocking in asa. in Network Security

No syslog blocking in asa.

jbseong — Mon, 07 Dec 2020 01:01:49 GMT

We have 1 asa product and fwsm product.

fwsm-asa
      ㅣ          
  syslog server

It has this configuration.

While sending syslog from fwsm to syslog server, asa set the policy to block fwsm syslog.

But still fwsm is sending logs to syslog server and hit count doesn't go up in asa.

But from the moment fwsm reboots, it is blocked in asa.

What the hell is this happening for?

Can't asa block blocking while in session?

Re: No syslog blocking in asa.

MHM Cisco World — Mon, 07 Dec 2020 01:07:57 GMT

syslog is UDP and have entry in conn,

you config policy after the conn have entry
so it will bypass policy
the only chance it will go through policy is delete from conn and this happened if you delete manually or as you mention reboot device initiate the syslog so that the entry is timeout and delete from conn table.

Re: No syslog blocking in asa.

jbseong — Mon, 07 Dec 2020 01:37:51 GMT

If so, is it that syslog is still communicating even if udp blocking policy is put in the state of session being established?

Re: No syslog blocking in asa.

MHM Cisco World — Mon, 07 Dec 2020 01:51:50 GMT

Yes if you config policy after session established then ASA will bypass policy and the only way is clear conn entry manually in ASA