topic Tracking ASA rules in Network Security

Tracking ASA rules

benson.low — Mon, 11 Mar 2019 22:25:06 GMT

Hi CSC,

Is there a way to extract which traffic is hitting which rule from syslog? Thanks.

Rgrds,

Benson

Tracking ASA rules

Maykol Rojas — Tue, 07 Feb 2012 14:50:42 GMT

Hello,

You can assing the keyword log at the end of the ACL and that will generate a syslog per rule match that it has this keyword at the end.

Mike

Tracking ASA rules

benson.low — Wed, 08 Feb 2012 10:42:20 GMT

Hi Mike,

What you proposed is for cisco routers, I am referring to ASA. The syslog entries have the following fields, but it does not show which rule it hits.

Jan 24 00:00:52 172.16.132.21 :Jan 23 23:49:07 SGT: %ASA-session-6-302013: Built inbound TCP connection 1158354 for CITRIX:x.x.x.x/60659 (x.x.x.x/60659) to Inside:x.x.x.x/445 (x.x.x.x/445)

Tracking ASA rules

Maykol Rojas — Wed, 08 Feb 2012 15:26:39 GMT

Extract from CISCO ASA COMMAND REFERENCE 8.2

Syntax Description

log

(Optional) Sets logging options when a ACE matches a packet for network access (an access list applied with the access-group command). If you enter the log keyword without any arguments, you enable system log message 106100 at the default level (6) and for the default interval (300 seconds). If you do not enter the log keyword, then the default system log message 106023 is generated.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1559450

Extract from Cisco ASA 5500 Series System Log Messages, 8.2

Log message: 106100

Error Message    %ASA-6-106100: access-list acl_ID {permitted | denied | est-allowed} 
protocol interface_name/source_address(source_port) - 
interface_name/dest_address(dest_port) hit-cnt number ({first hit | 
number-second interval}) hash codes

When an access-list line has the log argument, it is expected that this syslog ID might be triggered because of a non-synchronized packet reaching the adaptive security appliance and being evaluated by the access-list. For example, if an ACK packet is received on the adaptive security appliance (for which no TCP connection exists in the connection table), the device might generate syslog 106100, indicating that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.

If you are in doubts, please ask first.

Mike

Tracking ASA rules

benson.low — Thu, 09 Feb 2012 06:45:39 GMT

Hi Mike,

Thanks, it does help to solve part1. Now I am stuck with another issue, the moment the log keyword is entered for 1 ACE, no more syslog is being generated.