Log dropped packets to syslog server (PIX 506 v6.3)

thamchunhong · ‎02-15-2006

Hi,

I am new at setting up PIX firewall.. Hope that someone would give me some hints on how to log dropped packets to my syslog server. Here is what i have setup and tested..

1) I manage to setup remote logging for my syslog server, i could see PIX firewall logs appearing in /var/log/messages in the syslog server...

Feb 15 18:14:33 firewall1 Feb 15 2006 02:12:14: %PIX-5-111008: User 'enable_1' executed the 'enable' command.

2) Have added the following in the access_list...

access-list PERMIT_IN deny ip any any log

access-group PERMIT_IN in interface outside

3) Have set buffered logging to 6

4) Tried to telnet from a "denied" IP. However no logs appear in the syslog server and the dropped packet also did not appear in "show logging".

Here is "show logging" output...

Syslog logging: enabled

Facility: 20

Timestamp logging: enabled

Standby logging: disabled

Console logging: disabled

Monitor logging: disabled

Buffer logging: level errors, 126 messages logged

Trap logging: level notifications, 136 messages logged

Logging to inside 10.26.10.100

History logging: disabled

Device ID: disabled

Pls let me know if i have missed out something. Thanks.

regards,

thamch

mpalardy · ‎02-15-2006

Regarding the behaviour from the pix, it looks to me there is no logging problem and syslogs are not lost. You can verify this with a "show log queue" on the pix.

Instead, check if the "denied IP" you use to make tests is really routed to the pix, and not dropped somewhere else on the network.

HTH

Mike