06-15-2013 04:07 AM - edited 03-11-2019 06:58 PM
We need to have our syslog server facing the internet to aid in troubleshooting clients. And it's random when I'd need it and I'd rather not be going back to the firewall and opening the port while i need it, shut it down later, open it again, and so on.
those with public facing syslog servers, what do you do? just open up udp514 and hope for the best?
thanks for some input.
Solved! Go to Solution.
06-15-2013 04:31 AM
Hi,
We if we are talking about ASA firewall then I guess you can always create an ACL rule for all the customers that you might need to open up the Syslog traffic for. When you dont need to have those ports open on the ASA then you can turn them "inactive" either trought the ASDM or CLI and leave the actual rules to the configuration.
Naturally if you are sending Syslog through the Internet you might want to consider perhaps even building a L2L VPN connection between your site and the customer site and tunneling their Syslog traffic through that L2L VPN connection. I have for example a couple of times configured L2L VPN between an ASA and one of our VPN gateway so that the remote customer ASA can sends its own Syslogs through the L2L VPN connection.
Then I guess you might want to consider configuring the Syslog to use TCP instead of UDP on the ASA. In this case I would recommend using "logging permit-hostdown" command since if you dont have it configured on an ASA and enable TCP Syslogging which for some reason isnt able to contact the Syslog server then ALL traffic through the ASA will be blocked. And you probably wont want that.
I am not sure if there is any convinien way to manage the rules either than maybe handle setting them "active" or "inactive" through the ASDM. I would imagine in this case the managing of those rules would be faster and more convinient through ASDM even though I personally do all ACL configurations through the CLI
Hope this helps
- Jouni
06-15-2013 04:31 AM
Hi,
We if we are talking about ASA firewall then I guess you can always create an ACL rule for all the customers that you might need to open up the Syslog traffic for. When you dont need to have those ports open on the ASA then you can turn them "inactive" either trought the ASDM or CLI and leave the actual rules to the configuration.
Naturally if you are sending Syslog through the Internet you might want to consider perhaps even building a L2L VPN connection between your site and the customer site and tunneling their Syslog traffic through that L2L VPN connection. I have for example a couple of times configured L2L VPN between an ASA and one of our VPN gateway so that the remote customer ASA can sends its own Syslogs through the L2L VPN connection.
Then I guess you might want to consider configuring the Syslog to use TCP instead of UDP on the ASA. In this case I would recommend using "logging permit-hostdown" command since if you dont have it configured on an ASA and enable TCP Syslogging which for some reason isnt able to contact the Syslog server then ALL traffic through the ASA will be blocked. And you probably wont want that.
I am not sure if there is any convinien way to manage the rules either than maybe handle setting them "active" or "inactive" through the ASDM. I would imagine in this case the managing of those rules would be faster and more convinient through ASDM even though I personally do all ACL configurations through the CLI
Hope this helps
- Jouni
06-17-2013 10:24 AM
As always, thanks for the insightful help!
06-17-2013 10:27 AM
Hi,
Glad if it was of some help
Please do take the time to either mark the reply as the correct answer IF it answered your question. Or rate helpfull answers.
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide