02-20-2019 07:45 AM
Hello All,
Cisco ISR4331/K9 Router, Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1).
The router is configured with Zone-Based Firewall configuration to handle all my customer traffic. I have created extended access-lists and associated the class-map to it, Everything is working fine but I am not able to see any hits my ACL logs. Can someone please advise.
Router Configuration:
class-map type inspect match-any E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
match access-group name E_FW_OUTSIDE_TO_SLF_ACL_04
class-map type inspect match-any E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
match access-group name E_FW_SLF_TO_OUTSIDE_ACL_06
class-map type inspect match-all E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
match access-group name E_FW_INSIDE_TO_OUTSIDE_ACL_01
class-map type inspect match-any E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
match access-group name E_FW_OUTSIDE_TO_INSIDE_ACL_03
class-map type inspect match-any E_FW_INSIDE_TO_SLF_98_CLASS_MAP
match access-group name E_FW_INSIDE_TO_SLF_ACL_02
class-map type inspect match-any E_FW_SLF_TO_INSIDE_98_CLASS_MAP
match access-group name E_FW_SLF_TO_INSIDE_ACL_05
policy-map type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
class type inspect E_FW_OUTSIDE_TO_INSIDE_CLASS_MAP
inspect E_FW_GLOBAL_PARAMETER_MAP
class class-default
drop log
policy-map type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
class type inspect E_FW_INSIDE_TO_SLF_98_CLASS_MAP
pass
class class-default
drop log
policy-map type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
class type inspect E_FW_INSIDE_TO_OUTSIDE_CLASS_MAP
inspect E_FW_GLOBAL_PARAMETER_MAP
class class-default
drop log
policy-map type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
class type inspect E_FW_SLF_TO_OUTSIDE_98_CLASS_MAP
pass
class class-default
drop log
policy-map type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
class type inspect E_FW_OUTSIDE_TO_SLF_98_CLASS_MAP
pass
class class-default
drop log
policy-map type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
class type inspect E_FW_SLF_TO_INSIDE_98_CLASS_MAP
pass
class class-default
drop log
zone security E_FW_INSIDE_ZONE
description --- CUSTOMER_ZONE_ACCESS_SECURITY_ZONE
zone security E_FW_OUTSIDE_ZONE
description --- OUTSIDE ZONE_ACCESS_SECURITY_ZONE
description --- CUSTOMER_ZONE_INTERNET_ACCESS_ZONE_PAIRING
service-policy type inspect E_FW_INSIDE_TO_OUTSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_INSIDE_TO_SLF source E_FW_INSIDE_ZONE destination self
description --- Customer LAN to Router originated traffic
service-policy type inspect E_FW_INSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_INSIDE source E_FW_OUTSIDE_ZONE destination E_FW_INSIDE_ZONE
description --- OUTSIDE ZONE_INTERNET_ACCESS_ZONE_PAIRING
service-policy type inspect E_FW_OUTSIDE_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_OUTSIDE_TO_SLF source E_FW_OUTSIDE_ZONE destination self
description --- Public internet to router originated traffic
service-policy type inspect E_FW_OUTSIDE_TO_SLF_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_INSIDE source self destination E_FW_INSIDE_ZONE
description --- Router originated traffic to customer LAN
service-policy type inspect E_FW_SLF_TO_INSIDE_POLICY_MAP
zone-pair security E_FW_ZON_PAIR_SLF_TO_OUTSIDE source self destination E_FW_OUTSIDE_ZONE
description --- Router to IPSN
service-policy type inspect E_FW_SLF_TO_OUTSIDE_POLICY_MAP
Thanks in advance.
Solved! Go to Solution.
02-20-2019 10:09 AM
If I understand the post correctly you have configured and implemented Zone Based Firewall. It is working find but you are concerned that when you do show access-list that you do not see hit count on the acl entries. I observe that with some recent OS that you may not get hit count on an acl, especially if the acl is not applied to control traffic on an interface with access-group. If ZBF is working fine my advice is to not worry about hit count on acl.
HTH
Rick
02-20-2019 10:09 AM
If I understand the post correctly you have configured and implemented Zone Based Firewall. It is working find but you are concerned that when you do show access-list that you do not see hit count on the acl entries. I observe that with some recent OS that you may not get hit count on an acl, especially if the acl is not applied to control traffic on an interface with access-group. If ZBF is working fine my advice is to not worry about hit count on acl.
HTH
Rick
02-20-2019 10:57 AM
Hello,
Richard is absolutely right. Check the section 'Restrictions for Zone-Based Policy Firewalls' in the link below:
--> Access control lists (ACLs) in a class map are used only for classification; the firewall does not display the packet count that matches the configured ACLs.
02-20-2019 11:27 AM
I knew that this was the case with some use of acl. +5 to Georg for finding the document that specifies it is the case for ZBF.
HTH
Rick
02-20-2019 03:10 PM
Hello,
What will be the solution if I need to see the hit counts on an acl.
I have CISCO2921/K9 as my backup if I do "show ip access-list" it gives me the hit counts. It has the same exact configuration.
Thanks in advance.
02-21-2019 05:16 AM
I do not believe that there is a solution on the 4331 to display the hit count for acl used for ZBF. I am surprised that the behavior of the 2921 is different. But the OS for the 2921 is quite different from the OS on the 4331. And the document referenced by Georg is quite clear that for the 4331 it will not display the hit count.
HTH
Rick
02-21-2019 09:00 AM
Hi,
My router is currently running
Cisco IOS XE Software, Version 03.16.04b.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S4b, RELEASE SOFTWARE (fc1)
Just want to eliminate the last thing on my mind, is the issue fixed in any of the latest software releases!!
02-21-2019 09:56 AM
I think as of the current release, your only option is to see per filter statistics (for class maps with the match-any parameter configured):
4331# show policy-map type inspect zone-pair xxxxx
02-21-2019 01:54 PM
The question "is the issue fixed in any of the latest software releases" suggests that there is a bug in the code that will be corrected. The document that Georg gave us does not describe this as a bug but describes how the code is intended to operate. Therefore I do not expect any "fix" for the behavior.
It might be helpful to remember that the team that wrote the IOS XE code for the 4331 is different from the team that wrote the IOS code for the 2921. The team for IOS XE approaches some things differently, and it sure looks like hit count in acl is one of those things that they approach differently. Cisco is a big company with multiple product lines. While we expect similar behavior in major features across the various products we must accept that there will be differences in the details of how they work.
HTH
Rick
12-04-2019 03:30 AM
2921 has IOS,
4k router works under IOS-XE. This is problem of ZBFW implementation in certain IOS software line. I can see the same behavior on ISR1100, under IOS-XE.
Has smb found any workaround to see ACL hits under ZBFW?
I have the same problem. Our services suplyers can't define TCP/UPD ports properly, and I expect having more records in ACL than I need. Having ACL counters with hits can help me to remove unneeded records in ACL. I can analize traffic by Wireshark, but it takes more time.
12-04-2019 04:22 AM
Hello,
I just checked the ZBF configuration guide for the latest 16.9 release (see link below), unfortunately, the same restriction still applies...
Only per-filter statistics are available under the zone pair:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide