Solved: Re: Logging drop packets on the devices with zbf inspect - Page 2

dijix1990 · ‎06-23-2023

I'm interested.

how can I see drop packets on the device's buffer (show log) if I chose action inspect?

1. I tried to enable action "Audit Trail" but it didn't show the drop packets. To be honest it didn't show sessions from outside to device - self-zone (I have FW for self-zone) I only saw session from self-zone to outside

2. I tried to use "Network Wide path insight" but it didn't show information about VPN 0

maybe it doesn't have function to see drop packets on the device and I need to configure external syslog server

Kanan Huseynli · ‎06-26-2023

I can not do help with these trace (with debugging or understanding exact reason), but it can be due to excessive number of logs (default drop), if it is production environment. Create explicit drop for required connections (like SSH) and leave implicit drop (from drop-down menu) for other traffic dropping. If you still need to log all in any case, then you will need high speed logging configuration:

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/m-firewall-17.html#concept_0CFD43B24B544D8583777D8B25191292

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

dijix1990 · ‎06-26-2023

there wasn't many drops..

I think this one is more convenient

From Cisco IOS XE Release 17.11.1a and Cisco vManage Release 20.11.1, you can configure up to four destination servers to export the syslogs to; the IP addresses for these destination servers can be IPv4, IPv6, or both. You also have the option to specify a source interface for HSL.

dijix1990 · ‎06-24-2023

Thanks, I will try and come back with the result