Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3103
Views
0
Helpful
4
Replies

ZBF Logging (dropped packets) on IOS-XE

Heinz Schwarzfeuer
Level 1
Level 1

‎05-15-2017 01:30 PM - edited ‎03-12-2019 02:22 AM

Hi,

I´ve configured a Cisco 4331 with the Zone Based Firewall (ZBF) features. Everything works fine so far, but when I wanted to take a closer look to the dropped packets I noticed that not all are shown.

I switched it on globally using:

parameter-map type inspect global
 log dropped-packets

Afterwards I tried to "attack" the routers protected "self" zone doing a telnet and a portscan, which was all blocked as intended, but none of these blocked pakets have been shown in the routers log (nor on the terminal monitor), whereas other blocked packets (going to different zones) are shown.

Any ideas?

Here is my configuration:

parameter-map type inspect global
 log dropped-packets

class-map type inspect match-any CM-INSPECT_GUESTS-TO-SELF
match access-group name CLM-ACL_INSPECT_GUESTS-TO-SELF

class-map type inspect match-any CM-PASS_GUESTS-TO-SELF
match access-group name CLM-ACL_PASS_GUESTS-TO-SELF_DHCP

class-map type inspect match-any CM-PASS_SELF-TO-GUESTS
match access-group name CLM-ACL_PASS_SELF-TO-GUESTS_DHCP


policy-map type inspect PM_SELF-TO-GUESTS
class type inspect CM-PASS_SELF-TO-GUESTS
pass
class class-default
drop log

policy-map type inspect PM_GUESTS-TO-SELF
class type inspect CM-INSPECT_GUESTS-TO-SELF
inspect
class type inspect CM-PASS_GUESTS-TO-SELF
pass
class class-default
drop log


ip access-list extended CLM-ACL_INSPECT_GUESTS-TO-SELF
permit icmp 192.168.51.0 0.255.255.255 host 192.168.51.1 echo
permit icmp 192.168.51.0 0.255.255.255 host 192.168.51.1 echo-reply


ip access-list extended CLM-ACL_PASS_GUESTS-TO-SELF_DHCP
permit udp any eq bootpc any eq bootps

ip access-list extended CLM-ACL_PASS_SELF-TO-GUESTS_DHCP
permit udp any eq bootps any eq bootpc

zone-pair security ZP_GUESTS-TO-SELF source ZN_GUESTS destination self
service-policy type inspect PM_GUESTS-TO-SELF

zone-pair security ZP_SELF-TO-GUESTS source self destination ZN_GUESTS
service-policy type inspect PM_SELF-TO-GUESTS

Many thanks!

2 people had this problem
Labels:
0 Helpful
4 Replies 4

Heinz Schwarzfeuer
Level 1
Level 1

‎10-25-2017 11:26 PM

No one any idea?

0 Helpful

m.markocevic
Level 1
Level 1
In response to Heinz Schwarzfeuer

‎11-16-2018 03:21 PM

I have the same problem. Any help is appreciated?

0 Helpful

fblackfire
Level 1
Level 1
In response to m.markocevic

‎05-21-2019 03:06 AM

Ever solved it?

0 Helpful

rhbmcse
Level 1
Level 1
In response to fblackfire

‎10-11-2019 12:25 PM

Mine works - try splitting out this section into two policy maps.

You have an inspect and a pass both contained within a single PM (one for each CM) and finally a drop log.

The drop log is most probably applying to the latter 'pass' rule and thus not logging anything as everything has erm...passed!  :)

 

Happy to help.

 

Rob.

 

policy-map type inspect PM_GUESTS-TO-SELF
class type inspect CM-INSPECT_GUESTS-TO-SELF
inspect
class type inspect CM-PASS_GUESTS-TO-SELF
pass
class class-default
drop log

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card