My boss has told me to monitor the PIX firewall for our company and write a monthly report. So Im sitting for hours in front of the PIX staring at the green power light. Our firewall seems to be OK. The green light is constant on. ;-))
Ive read the Cisco Cookbook, a valuable source of how to guides. This explains how to monitor using SNMP and how to collect the syslog. Also the PIX Firewall Handbook tells me to frequently have a look at the syslog for important messages.
So far I have a limited idea what to look for. I intend to have a mrtg (www.mrtg.org) like graph for each interface. Im also considering looking for syslog messages that say user failed to authenticate for VPN connection. But is that really everything?
What do you monitor on your PIX (or Cisco router) and what do you report?
If you know the SNMP ODI or PIX syslog number than plase add this information, it realy helps me.
Thanks in advance,
Some basic commands I would use to monitor a pix are:
show cpu usage
show conn count
You best bet would be to get a SNMP applicion to monitor some of these stats for you andthat can build reports.
I would also have the pix send events to a syslog server and monitor that log for events triggered by any of the pix's 55 attack signatures. I am not sure what the exact syslog message number is for each attack signature but here is a link to all the pix syslog message numbers.
Good luck, please rate if this was helpful.
This link is a little more current for the messages. What OS version are you running?
Check this link for some monitoring info-
Also ,check out the Cisco Security MARS appliances that analyzes and correlates security events, syslog, etc. and can help determine the actual attack path and provide mitigation options...
If you are interested in the attack signatures and what they are, use the PDM and go to System properties-Intrusion Detection-IDS Signature and you can see the list of signatures there...