FPM : Fine tuning required

Hitesh Vinzoda — Mon, 11 Mar 2019 19:02:57 GMT

Hi,

I m using FPM on 1811 router with 12.4 24 T Advanced security code. Im trying to filter syslog warning traps from the firewalls send to NMS. below is the required configuration which matches OID for Syslog warning traps.

load protocol system:/fpm/phdf/ether.phdf
load protocol system:/fpm/phdf/ip.phdf
load protocol system:/fpm/phdf/tcp.phdf
load protocol system:/fpm/phdf/udp.phdf
!
!
class-map type stack match-all IP_UDP
match field IP dest-addr eq 10.10.10.10 next UDP

class-map type access-control match-all WARNING
match start l3-start offset 0 size 256 regex ".*\x2b\x06\x01\x04\x01\x09\x09\x29\x01\x02\x03\x01\x03\x00\x02\x01\x05.*"
match field UDP dest-port eq 162
!
!
policy-map type access-control FILTER_WARNING
class WARNING
   log
policy-map type access-control FPM
class TRAP
   log
   drop
class IP_UDP
service-policy FILTER_WARNING

But some how traffic on port 161 and icmp messages are matched against it. ICMP i thought of them as port unreachable messages but any clue on matches for 161 port (normal SNMP polling). it seems that "match filed UDP dest-port eq 162" is not working below are the logs for the same

*Nov 1 04:53:30 UTC: %SEC-6-IPACCESSLOGDP: list WARNING permitted icmp 1.1.1.1 (FastEthernet1 ) -> 10.10.10.10 (0/0), 1 packet

*Nov 1 04:45:34 UTC: %SEC-6-IPACCESSLOGP: list WARNING permitted udp 10.10.20.1 (161) (FastEthernet1 ) -> 10.10.10.10 (51643), 1 packet

Please advise on fine tuning in the configuration or further analysis.

Thanks in advance

Hitesh Vinzoda

Re: FPM : Fine tuning required

Hitesh Vinzoda — Mon, 01 Nov 2010 11:26:27 GMT

Issue resolved... changed the configuration to Match dest port 162 first and than the payload in packet.

Regards

Hitesh Vinzoda

topic FPM : Fine tuning required in Network Security

FPM : Fine tuning required

Re: FPM : Fine tuning required