04-25-2013 07:57 AM - edited 03-11-2019 06:34 PM
I have a Zone-Based Firewall installation running on a 2911 router running C2900-UNIVERSALK9-M Version 15.3(1)T. I am trying to find a way to log dropped packets to a syslog server so I can see attempted connections that were denied.
I have attempted to configure the logging a couple of different ways, but with no luck so far. Right now I have it set up like this (please note that in the config below the syslog server 192.168.1.132 is in the "inside" zone):
------------------------------------------------------------------------------------------------------
logging trap warnings
logging source-interface Loopback0
logging host 192.168.1.132
zone-pair security Transit-to-inside source Transit destination inside
description ** permit all traffic from Transit to inside **
service-policy type inspect Transit-to-inside-policy
policy-map type inspect Transit-to-inside-policy
class type inspect spiceworks-traffic-in
pass log
class type inspect CAG-portal-traffic-inbound
inspect dropped-to-log
class class-default
drop log
zone-pair security self-to-inside source self destination inside
description ** permit reply traffic for mgmt on inside interface **
service-policy type inspect permit-any
policy-map type inspect permit-any
class class-default
pass
!
parameter-map type inspect global
alert on
log dropped-packets enable
log summary flows 256 time-interval 30
parameter-map type inspect dropped-to-log
audit-trail on
alert on
------------------------------------------------------------------------------------------------------
Other syslog messages from the ZBF do get logged to the syslog server, so I know the basic communication works. But I still get no syslogs of packets dropped because they failed to match any of the firewall rules.
Any help would be greatly appreciated.
-Mathew Rouch
04-25-2013 09:37 PM
hmmm..
I mean are you really allowing all traffic across the box or are you supposed to be blocking something??
You get logs into the server... Right???
Pleasee. tell me you have this command
ip inspect log drop-pkt
Regards
04-30-2013 08:13 AM
I am getting other logs sent to the syslog server, yes, just not the firewall-related "dropped packet" logs. Here's an example of one that does make it through:
-----------------------------------------------------------------
5790: *Apr 30 15:05:27.039 UTC: %FW-4-TCP_OoO_SEG: Dropping TCP Segment: seq:-647534746 1500 bytes is out-of-order; expectedseq:3647406270. Reason: TCP reassembly queue overflow - session 192.168.1.179:3895 to 54.240.160.142:80 on zone-pair inside-to-Transitclass WB-Browsing
-----------------------------------------------------------------
I am not allowing all the traffic across the box. The "self-to-inside" zone-pair just allows the *firewall itself* to initiate any traffic to the inside zone. That's temporary until I get all the management traffic to and from the firewall defined, then I will lock it down further.
And I added the "ip inspect log drop-pkt" and it did not appear to make any difference.
Any other suggestions?
-Mat
04-30-2013 11:08 AM
Hello Mat,
So you did not have the ip inspect log drop-pkt.. Then the behavior was expected
I encourage you to make sure you are logging to the local buffer of the FW and then try to send invalid traffic and check the logs ( U can share all of your configuration )
regards
04-30-2013 02:21 PM
I added "ip inspect log drop-pkt" and it made no difference. Is there somewhere else I need to enable this for the logging to work properly?
-Mat
04-30-2013 04:15 PM
That's all you need....
That is why I asked for the Show run
05-21-2019 03:15 AM
Did you find a solution?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide