Solved: Re: Syslog from FWSM context

dsnixon · ‎02-12-2009

Hi,

I have a FWSM set-up in multiple context mode. Management of the FWSM is purely through the admin context. The other contexts have no access (no routes) to the management LANs.

I can get syslog etc from the admin context to my management servers no problem. However I am unable to acheive the same from the other contexts.

From what I can see, this will be due to the other contexts not having access to the management LAN.

Is there anyway I can get the syslog information from the other contexts via the admin context?

I am reluctant to engineer access to the management LAN from the other contexts, as they are on isolated virtual networks with no current access (and no other need for access) at this time.

Any thoughts?

Regards,

David

Jon Marshall · ‎02-12-2009

David

You have 2 choices really

1) Have the management LAN as a shared vlan between your contexts.

2) Route the syslog messages from the contexts to the management LAN.

It's not clear from your topology how the routing would work.

The advantage of allowing all contexts access to the management LAN is that you are not setting up additional access rules / NAT statements but it comes with the risk of "backdoors" into your managment LAN.

Really need more info on how your topology is laid out, where the management LAN is, does it have a routed interface on the MSFC or is purely connected to your admin context ? But as i say you really only have the above 2 choices.

Jon

View solution in original post

Jon Marshall · ‎02-12-2009

David

You have 2 choices really

1) Have the management LAN as a shared vlan between your contexts.

2) Route the syslog messages from the contexts to the management LAN.

It's not clear from your topology how the routing would work.

The advantage of allowing all contexts access to the management LAN is that you are not setting up additional access rules / NAT statements but it comes with the risk of "backdoors" into your managment LAN.

Really need more info on how your topology is laid out, where the management LAN is, does it have a routed interface on the MSFC or is purely connected to your admin context ? But as i say you really only have the above 2 choices.

Jon

dsnixon · ‎02-12-2009

Hi Jon,

Thanks for your answer - this was the conclusion I was coming to but trying to avoid.

To answer your questions, the management LAN is elsewhere, but is routed into a VRF on the MSFC, the Admin context only has an interface into the same VRF.

Option 1, I'm thinking is not going to be available as some of the contexts are transparent, so can't share the VLAN between them. So option 2 it shall have to be...

Regards,

David

jsteffensen · ‎03-16-2009

Hi Jon

can you please explaint the config (option 2) abit more?

We have the same issue. The Admin context is routed, and all other contexts are transparrent.

As a result only syslog-messages from tha admincontext is recieved at the syslog server.

best Regards

Jarle

dsnixon · ‎03-16-2009

Hi Jarle,

In short, with option 2, the transparent firewall needs to (somehow) have it's own independant route to the management network containing your syslog server.

The firewalls effectively work independantly, so for management purposes imagine you had a pile of 20 firewalls - all of which need to talk to the management network. (grr!)

The transparent context can be configured with a BVI address and routing as normal, your syslog's can be sourced from there.

Regards,

David