Solved: Firewall deny not getting logged

balajis27 · ‎02-13-2011

Hi All

I am facing a strange issue with FWSM firewall rules and need some help on that.

On this firewall, we have logging enabled to a log all denies for blocked ports. . This is covered in the last deny statement with port object-group as shown below.

access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff

In the recent days we found extensive deny logs for the below 6 ports and this was causing the below error message 106101 .

tcp SMTP,tcp 135,tcp 445, tcp netbios-ssn, udp netbios-ns, udp snmp

106101 The number of ACL log deny-flows has reached limit (number)

106101 The number of ACL log deny-flows has reached limit (4096).

Already the max configured limit on device is 4096. So we decided to remove logging only for those specifc 6 ports and wanted to still log rest of the denies. So we modified ACL as below

ddddd# sh access-list al_from_labs | in deny
access-list al_from_labs line 2227 extended deny tcp any any eq smtp (hitcnt=29954) 0xf62aaca9
access-list al_from_labs line 2228 extended deny tcp any any eq 135 (hitcnt=2127) 0xc8773775
access-list al_from_labs line 2229 extended deny tcp any any eq 445 (hitcnt=2617) 0x9ad56a8f
access-list al_from_labs line 2230 extended deny tcp any any eq netbios-ssn (hitcnt=888) 0x9258206
access-list al_from_labs line 2231 extended deny udp any any eq netbios-ns (hitcnt=8670) 0x5fad9aa0
access-list al_from_labs line 2232 extended deny udp any any eq snmp (hitcnt=532) 0xfe3a0d52
access-list al_from_labs line 2236 extended deny object-group tcp_udp any any object-group Blocked_Ports log errors interval 300 0x9f5a4bff

Please see above where we removed logging for those specific 6 denies and moved it above the last deny rule.

Issue:

====

After we modified the acl entries as above, we see strangely that none of the denies are getting logged to the syslog server. So absolutely logging gets stopped. This is confusing becos we only wanted the firewall not to log for those specific 6 ports but now access attempt to other ports also is not getting logged.

Please let us know what might be the cause of the issue.

Regards

Jennifer Halim · ‎02-17-2011

Excellent, and it's great to hear.

Please kindly mark the post answered so others can learn from your post. Thank you.

View solution in original post

Jennifer Halim · ‎02-13-2011

My suggestion would be to reload the FWSM to clear the cached flow.

However, if you would like to know the reason why it's not working as it should, I would suggest that you open a TAC case so the issue can be investigated further.

balajis27 · ‎02-17-2011

Thanks Jennifer

We rebooted the FWSM firewall and that solved the issue. If the issue repeats, we are planning to open a TAC case on this.

Thanks for your suggestion

Regards

S.Balaji

Jennifer Halim · ‎02-17-2011

Excellent, and it's great to hear.

Please kindly mark the post answered so others can learn from your post. Thank you.