Logging/Viewing dropped packets on Zone-Based Firewall

mat_rouch · ‎04-25-2013

I have a Zone-Based Firewall installation running on a 2911 router running C2900-UNIVERSALK9-M Version 15.3(1)T. I am trying to find a way to log dropped packets to a syslog server so I can see attempted connections that were denied.

I have attempted to configure the logging a couple of different ways, but with no luck so far. Right now I have it set up like this (please note that in the config below the syslog server 192.168.1.132 is in the "inside" zone):

------------------------------------------------------------------------------------------------------

logging trap warnings

logging source-interface Loopback0

logging host 192.168.1.132

zone-pair security Transit-to-inside source Transit destination inside

description ** permit all traffic from Transit to inside **

service-policy type inspect Transit-to-inside-policy

policy-map type inspect Transit-to-inside-policy

class type inspect spiceworks-traffic-in

pass log

class type inspect CAG-portal-traffic-inbound

inspect dropped-to-log

class class-default

drop log

zone-pair security self-to-inside source self destination inside

description ** permit reply traffic for mgmt on inside interface **

service-policy type inspect permit-any

policy-map type inspect permit-any

class class-default

pass

!

parameter-map type inspect global

alert on

log dropped-packets enable

log summary flows 256 time-interval 30

parameter-map type inspect dropped-to-log

audit-trail on

alert on

------------------------------------------------------------------------------------------------------

Other syslog messages from the ZBF do get logged to the syslog server, so I know the basic communication works. But I still get no syslogs of packets dropped because they failed to match any of the firewall rules.

Any help would be greatly appreciated.

-Mathew Rouch

Julio Carvajal · ‎04-25-2013

hmmm..

I mean are you really allowing all traffic across the box or are you supposed to be blocking something??

You get logs into the server... Right???

Pleasee. tell me you have this command

ip inspect log drop-pkt

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mat_rouch · ‎04-30-2013

I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs. Here's an example of one that does make it through:

-----------------------------------------------------------------

5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing

-----------------------------------------------------------------

I am not allowing all the traffic across the box. The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone. That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.

And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.

Any other suggestions?

-Mat

Julio Carvajal · ‎04-30-2013

Hello Mat,

So you did not have the ip inspect log drop-pkt.. Then the behavior was expected

I encourage you to make sure you are logging to the local buffer of the FW and then try to send invalid traffic and check the logs ( U can share all of your configuration )

regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mat_rouch · ‎04-30-2013

I added "ip inspect log drop-pkt" and it made no difference. Is there somewhere else I need to enable this for the logging to work properly?

-Mat

Julio Carvajal · ‎04-30-2013

That's all you need....

That is why I asked for the Show run

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

fblackfire · ‎05-21-2019

Did you find a solution?