Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
524
Views
0
Helpful
7
Replies

CSA logging even though logging is turned off

jjkruege
Level 1
Level 1

‎01-11-2005 11:29 AM - edited ‎03-10-2019 01:13 AM

I have setup CSA for several users. One of the log messages we receive on many hosts is the UPNP port 1900 blocked messages. I would like to leave the rule itself alone so we can use it in other groups, so I created an exception. I set it up as a high priority deny and did not check the "log" box. I assumed that this would just silently deny the connections. Unfortunately, I still receive hundreds of messages in my log about UPNP.

From the log I can see that it fired from my exception policy, not from the base policy. I had to make it a high priority deny in order to make it above all the other denies. Am I doing something wrong with this expection policy or will I always be stuck with these log messages.

Thanks,

Josh

Labels:
0 Helpful
7 Replies 7

tsteger1
Level 8
Level 8

‎01-11-2005 12:19 PM

You need to set it to "take precedence over other deny rules". The first rule logs it and your second one can't unlog it. I would also put it in the same policy.

0 Helpful

jjkruege
Level 1
Level 1
In response to tsteger1

‎01-11-2005 01:03 PM

I don't think that it is a rule ordering issue though. The rule ID that is firing is actually from my exception rule. That rule is not supposed to log. I made it a high priority deny so that it would be placed above the regular deny that was firing previously.

0 Helpful

tsteger1
Level 8
Level 8
In response to jjkruege

‎01-11-2005 02:33 PM

Is the "take precedence" box checked? That is the preferred method to keep rules from logging (See Manipulating Precedence in the CSAMC help). Also, are you in testmode? It will log in testmode even if you have logging turned off and that box checked.

Try it, it works for us.

0 Helpful

jjkruege
Level 1
Level 1
In response to tsteger1

‎01-11-2005 03:25 PM

Ahhh, that must be it. We do have the "take precedence" box checked, but we have them in test mode. I will move them out of test mode and see if the logging messages go away. That is strange. I would have expected the logging to not happen in test mode too. Oh well. Thanks for the help!

Josh

0 Helpful

adammuthard
Level 1
Level 1
In response to tsteger1

‎12-04-2007 07:42 AM

I am having the same problem as the user who originally posted in this forum:

1) Rule is a DENY for SSDP services

2) Take precedence over other Deny rules is checked

3) Logging is unchecked

However, this rule is still logging deny actions. I am trying to cut down on unnecessary logging and this is taking up about 10% percent of our logs (about 2000 logs a day).

Any help would be greatly appreciated.

0 Helpful

tsteger1
Level 8
Level 8
In response to adammuthard

‎12-04-2007 09:45 AM

I'm guessing that there is either:

1. Another rule stepping on it

2. There is a deny/strong deny mismatch

3. It's in test mode.

If any of these are true, you'll see that behavior.

What version? CSA 5.2 has the rule preconfigured as part of the XP Remote Control Module.

Tom

0 Helpful

amuthard1
Level 1
Level 1
In response to tsteger1

‎12-04-2007 10:23 AM

Thanks, actually I found it. There was a rule override for logging on the group level. I believe that was a cause of the problem. I swore I had already turned it off, but I guess I was mistaken.

*Note* I am the same user as above, I just had my user ID changed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card