topic Logging uses CPU and memory. in Network Security

ACL Logging

dalem00011 — Tue, 12 Mar 2019 08:56:51 GMT

Hi all,

I need help with something.

I manage a multi-context firewall.

The rulebase is huge!

Up until this point we never configured ACL logging on the rules.

Now the client wants use to log the ACL's.

ie:

access-list TEST deny ip any any log

I would need to add the word "log" to the end of every ACL - but in this case there are literally thousands of ACL's.

Is there a command that I can run that will log all ACL's without me having to physically go back to each ACL statement and have to add the word "log" at the end of it?

Urgent assistance would be greatly appreciated!

Kind regards

 - Dale

As far as I know, you would

Marius Gunnerud — Thu, 16 Feb 2017 21:12:46 GMT

As far as I know, you would need to add the log keyword at the end of each entry. An option is to create a script that will go through your configuration and pull out the access list entries, add the log keyword to the end and then paste it back in.

Depending on how much traffic actually passes through your firewall, I would caution your client about enabling logging on all the ACL entries. If there is a lot of traffic passing through your ASA, this will impact performance. Perhaps if you are able to narrow it down a bit to critical entries?

Please remember to select a correct answer and rate helpful posts

Thanks for your swift

dalem00011 — Thu, 16 Feb 2017 21:20:28 GMT

Thanks for your swift response Marius.

There are huge amounts of traffic passing through this multi-context ASA.

The client wants logging on all ACL's - I think its for some kind of Tufin integration.

So you would advise against this?

Also, then just to clarify, in ASDM, under logging, there is a check box which states "enable logging" - Would this not maybe solve my issue?

Logging uses CPU and memory.

Marius Gunnerud — Thu, 16 Feb 2017 21:50:49 GMT

Logging uses CPU and memory.

I would not go as far as saying that I advise against it, but lean more on the side of caution. Just keep in mind that if you do experience a decrease in performance that this could be due to the amount of logging going on. Of course this also depends on what level of logging you are doing. Debuging would most definately have a performance impact with a huge amout of traffic passing through. Informational or notification will have less of an impact.

The enable logging in the ASDM will just enable logging for the ASDM, not what is being logged to the ASDM.

So, the only way I know of to do this is manually or have a programmer create a script that will do it for you.

Please remember to select a correct answer and rate helpful posts

Thanks Marius.

dalem00011 — Fri, 17 Feb 2017 11:56:51 GMT

Thanks Marius.

Your advice has been noted.

For now I have informed the client of the risks involved. We plan to roll it out little by little so we can monitor how the ASA handles it.

I also advised we do this only on business critical ACL's.

Fingers crossed all goes well and they take my advice.

But thanks again Marius.

Appreciate it!