https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222951#M351027 <HTML><HEAD></HEAD><BODY><P>Hello Mat,</P><P></P><P>So you did not have the ip inspect log drop-pkt.. Then the behavior was expected</P><P></P><P>I encourage you to make sure you are logging to the local buffer of the FW and then try to send invalid traffic and check the logs ( U can share all of your configuration ) </P><P></P><P>regards</P></BODY></HTML> Tue, 30 Apr 2013 18:08:33 GMT Julio Carvajal 2013-04-30T18:08:33Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222948#M351024 <P>I have a Zone-Based Firewall installation running on a 2911 router running C2900-UNIVERSALK9-M Version 15.3(1)T.&nbsp; I am trying to find a way to log dropped packets to a syslog server so I can see attempted connections that were denied.</P><P></P><P>I have attempted to configure the logging a couple of different ways, but with no luck so far.&nbsp; Right now I have it set up like this (please note that in the config below the syslog server 192.168.1.132 is in the "inside" zone):</P><P>------------------------------------------------------------------------------------------------------</P><P><STRONG>logging trap warnings</STRONG></P><P>logging source-interface Loopback0</P><P>logging host 192.168.1.132</P><P></P><P>zone-pair security Transit-to-inside source Transit destination inside</P><P>description ** permit all traffic from Transit to inside **</P><P>service-policy type inspect Transit-to-inside-policy</P><P></P><P>policy-map type inspect Transit-to-inside-policy</P><P>class type inspect spiceworks-traffic-in</P><P><STRONG>pass log</STRONG></P><P>class type inspect CAG-portal-traffic-inbound</P><P>&nbsp; <STRONG>inspect dropped-to-log</STRONG></P><P>class class-default</P><P>&nbsp; <STRONG>drop log</STRONG></P><P></P><P>zone-pair security self-to-inside source self destination inside</P><P>description ** permit reply traffic for mgmt on inside interface **</P><P>service-policy type inspect permit-any</P><P></P><P>policy-map type inspect permit-any</P><P>class class-default</P><P>&nbsp; pass</P><P>!</P><P>parameter-map type inspect global</P><P>alert on</P><P><STRONG>log dropped-packets enable</STRONG></P><P><STRONG>log summary flows 256 time-interval 30</STRONG></P><P></P><P>parameter-map type inspect <STRONG>dropped-to-log</STRONG></P><P><STRONG>audit-trail on</STRONG></P><P><STRONG>alert on</STRONG></P><P>------------------------------------------------------------------------------------------------------</P><P></P><P>Other syslog messages from the ZBF do get logged to the syslog server, so I know the basic communication works.&nbsp; But I still get no syslogs of packets dropped <EM>because they failed to match any of the firewall rules</EM>.</P><P></P><P>Any help would be greatly appreciated.</P><P>-Mathew Rouch</P> Tue, 12 Mar 2019 01:34:50 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222948#M351024 mat_rouch 2019-03-12T01:34:50Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222949#M351025 <HTML><HEAD></HEAD><BODY><P>hmmm..</P><P></P><P>I mean are you really allowing all traffic across the box or are you supposed to be blocking something??</P><P></P><P>You get logs into the server... Right???</P><P></P><P></P><P>Pleasee. tell me you have this command</P><P></P><P><SPAN style="text-decoration: underline;"><EM><STRONG>ip inspect log drop-pkt</STRONG></EM></SPAN></P><P></P><P>Regards</P></BODY></HTML> Fri, 26 Apr 2013 04:37:04 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222949#M351025 Julio Carvajal 2013-04-26T04:37:04Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222950#M351026 <HTML><HEAD></HEAD><BODY><P>I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs.&nbsp; Here's an example of one that does make it through:</P><P>-----------------------------------------------------------------</P><P>5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing</P><P>-----------------------------------------------------------------</P><P></P><P>I am not allowing all the traffic across the box.&nbsp; The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone.&nbsp; That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.</P><P></P><P>And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.</P><P></P><P>Any other suggestions?</P><P></P><P></P><P>-Mat</P></BODY></HTML> Tue, 30 Apr 2013 15:13:44 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222950#M351026 mat_rouch 2013-04-30T15:13:44Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222951#M351027 <HTML><HEAD></HEAD><BODY><P>Hello Mat,</P><P></P><P>So you did not have the ip inspect log drop-pkt.. Then the behavior was expected</P><P></P><P>I encourage you to make sure you are logging to the local buffer of the FW and then try to send invalid traffic and check the logs ( U can share all of your configuration ) </P><P></P><P>regards</P></BODY></HTML> Tue, 30 Apr 2013 18:08:33 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222951#M351027 Julio Carvajal 2013-04-30T18:08:33Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222952#M351028 <HTML><HEAD></HEAD><BODY><P> I added "ip inspect log drop-pkt" and it made no difference.&nbsp; Is there somewhere else I need to enable this for the logging to work properly?</P><P></P><P></P><P>-Mat</P></BODY></HTML> Tue, 30 Apr 2013 21:21:06 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222952#M351028 mat_rouch 2013-04-30T21:21:06Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222953#M351029 <HTML><HEAD></HEAD><BODY><P>That's all you need....</P><P></P><P>That is why I asked for the Show run</P></BODY></HTML> Tue, 30 Apr 2013 23:15:12 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/2222953#M351029 Julio Carvajal 2013-04-30T23:15:12Z https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/3859981#M351030 <P>Did you find a solution?</P> Tue, 21 May 2019 10:15:54 GMT https://community.cisco.com/t5/network-security/logging-viewing-dropped-packets-on-zone-based-firewall/m-p/3859981#M351030 fblackfire 2019-05-21T10:15:54Z