https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3939437#M135546 <P>Mine works - try splitting out this section into two policy maps.</P><P>You have an inspect and a pass both contained within a single PM (one for each CM) and finally a drop log.</P><P>The drop log is most probably applying to the latter 'pass' rule and thus not logging anything as everything has erm...passed! &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Happy to help.</P><P>&nbsp;</P><P>Rob.</P><P>&nbsp;</P><P><SPAN>policy-map type inspect PM_GUESTS-TO-SELF</SPAN><BR /><SPAN>class type inspect CM-INSPECT_GUESTS-TO-SELF</SPAN><BR /><SPAN>inspect</SPAN><BR /><SPAN>class type inspect CM-PASS_GUESTS-TO-SELF</SPAN><BR /><SPAN>pass</SPAN><BR /><SPAN>class class-default</SPAN><BR /><SPAN>drop log</SPAN></P> Fri, 11 Oct 2019 19:25:03 GMT rhbmcse 2019-10-11T19:25:03Z https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3012201#M135542 <P>Hi,</P> <P></P> <P>I´ve configured a Cisco 4331 with the Zone Based Firewall (ZBF) features. Everything works fine so far, but when I wanted to take a closer look to the dropped packets I noticed that not all are shown.</P> <P></P> <P>I switched it on globally using:</P> <P></P> <P><STRONG>parameter-map type inspect global</STRONG><BR /><STRONG>&nbsp;log dropped-packets</STRONG></P> <P></P> <P>Afterwards I tried to "attack" the routers protected "self" zone doing a telnet and a portscan, which was all blocked as intended, but none of these blocked pakets have been shown in the routers log (nor on the terminal monitor), whereas other blocked packets (going to different zones) are shown.</P> <P></P> <P>Any ideas?</P> <P></P> <P>Here is my configuration:</P> <P></P> <P></P> <P>parameter-map type inspect global<BR />&nbsp;log dropped-packets</P> <P></P> <P>class-map type inspect match-any CM-INSPECT_GUESTS-TO-SELF<BR /> match access-group name CLM-ACL_INSPECT_GUESTS-TO-SELF</P> <P>class-map type inspect match-any CM-PASS_GUESTS-TO-SELF<BR /> match access-group name CLM-ACL_PASS_GUESTS-TO-SELF_DHCP</P> <P>class-map type inspect match-any CM-PASS_SELF-TO-GUESTS<BR /> match access-group name CLM-ACL_PASS_SELF-TO-GUESTS_DHCP</P> <P><BR />policy-map type inspect PM_SELF-TO-GUESTS<BR /> class type inspect CM-PASS_SELF-TO-GUESTS<BR /> pass<BR /> class class-default<BR /> drop log</P> <P>policy-map type inspect PM_GUESTS-TO-SELF<BR /> class type inspect CM-INSPECT_GUESTS-TO-SELF<BR /> inspect<BR /> class type inspect CM-PASS_GUESTS-TO-SELF<BR /> pass<BR /> class class-default<BR /> drop log</P> <P><BR />ip access-list extended CLM-ACL_INSPECT_GUESTS-TO-SELF<BR /> permit icmp 192.168.51.0 0.255.255.255 host 192.168.51.1 echo<BR /> permit icmp 192.168.51.0 0.255.255.255 host 192.168.51.1 echo-reply<BR /><BR /> <BR />ip access-list extended CLM-ACL_PASS_GUESTS-TO-SELF_DHCP<BR /> permit udp any eq bootpc any eq bootps<BR /> <BR />ip access-list extended CLM-ACL_PASS_SELF-TO-GUESTS_DHCP<BR /> permit udp any eq bootps any eq bootpc<BR /> <BR />zone-pair security ZP_GUESTS-TO-SELF source ZN_GUESTS destination self<BR /> service-policy type inspect PM_GUESTS-TO-SELF<BR /> <BR />zone-pair security ZP_SELF-TO-GUESTS source self destination ZN_GUESTS<BR /> service-policy type inspect PM_SELF-TO-GUESTS</P> <P></P> <P></P> <P>Many thanks!</P> Tue, 12 Mar 2019 09:22:13 GMT https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3012201#M135542 Heinz Schwarzfeuer 2019-03-12T09:22:13Z https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3205469#M135543 <P>No one any idea?</P> Thu, 26 Oct 2017 06:26:59 GMT https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3205469#M135543 Heinz Schwarzfeuer 2017-10-26T06:26:59Z https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3748449#M135544 <P>I have the same problem. Any help is appreciated?</P> Fri, 16 Nov 2018 23:21:23 GMT https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3748449#M135544 m.markocevic 2018-11-16T23:21:23Z https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3859975#M135545 <P>Ever solved it?</P> Tue, 21 May 2019 10:06:25 GMT https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3859975#M135545 fblackfire 2019-05-21T10:06:25Z https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3939437#M135546 <P>Mine works - try splitting out this section into two policy maps.</P><P>You have an inspect and a pass both contained within a single PM (one for each CM) and finally a drop log.</P><P>The drop log is most probably applying to the latter 'pass' rule and thus not logging anything as everything has erm...passed! &nbsp;<span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>Happy to help.</P><P>&nbsp;</P><P>Rob.</P><P>&nbsp;</P><P><SPAN>policy-map type inspect PM_GUESTS-TO-SELF</SPAN><BR /><SPAN>class type inspect CM-INSPECT_GUESTS-TO-SELF</SPAN><BR /><SPAN>inspect</SPAN><BR /><SPAN>class type inspect CM-PASS_GUESTS-TO-SELF</SPAN><BR /><SPAN>pass</SPAN><BR /><SPAN>class class-default</SPAN><BR /><SPAN>drop log</SPAN></P> Fri, 11 Oct 2019 19:25:03 GMT https://community.cisco.com/t5/network-security/zbf-logging-dropped-packets-on-ios-xe/m-p/3939437#M135546 rhbmcse 2019-10-11T19:25:03Z