Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
4257
Views
0
Helpful
0
Comments

How to configure the PIX 500 Series Firewall to monitor traffic that passes through the PIX

TCC_2
Level 10
Level 10

‎06-18-2009 04:02 PM - edited ‎03-08-2019 06:06 PM

Resolution

Use the logging command in order to monitor the traffic that passes through the PIX Firewall.

Issue the logging command in order to enable or disable informational messages to the console sends to a syslog server, to an SNMP management station, or PIX Device Manager (PDM).

There are some important notes:

  1. Use the logging buffered command instead of the logging console command in order to start logging when the PIX is in production mode. The logging console command degrades system performance. By default, this command is disabled. Use the show logging command in order to view log messages, and the clear logging command in order to clear the buffer so it is easy to view the most current messages. 

  2. The PIX provides more information in messages sent to a syslog server than at the console. However, the console provides enough information to permit effective troubleshooting. 

  3. The logging timestamp command requires the clock command to be set.

The syslogs that PIX generates can be viewed from the console and from a Telnet console session.

Perform these steps in order to view syslog messages from the PIX console:

  1. Issue the logging buffered command in order to store syslog messages for display at the PIX console.

    For example, logging buffered 7. The value 7 causes all syslog message levels to be stored in the buffer. If required, set the value to a lower number to view fewer messages. For a list of messages that appear at each severity level, refer to Cisco Security Appliance System Log Messages, Version 7.0. 

  2. Issue the show logging command in order to view the log messages. 

  3. Issue the clear logging command in order to clear the buffer. 

  4. Issue the no logging buffered command in order to disable the storage of messages. 

    New messages appear at the end of the logging listing.

       

Perform these steps in order to view syslog messages from a Telnet console session:

  1. Issue the telnet command in order to configure the PIX to allow a host on an internal interface to access the PIX.

    If IPSec is enabled, the Telnet console can be accessed from the outside interface. For example, if a host on the inside interface has the IP address 192.168.1.2, the command must be: 

    telnet 192.168.1.2 255.255.255.255 inside

     

    Set the duration for which a Telnet session can be idle before the PIX disconnects the session. The default value is five minutes. A good value to set is 15 minutes, which can be set through the telnet timeout 15 command.

     

    Start Telnet from the host and specify the inside interface of PIX. For example, if the inside interface of PIX is 192.168.1.1, the command is telnet 192.168.1.1.

     

    When Telnet connects, the PIX prompts with the PIX passwd: prompt.

       
  2. Type the Telnet password, which is cisco by default. 

  3. Issue the enable command, and then the configure terminal command in order to get to the configuration mode. 

  4. Start message logging with the logging monitor command. 

  5. Issue the terminal monitor command in order to display messages directly to the Telnet session. 

    Note: Issue the terminal no monitor command in order to disable the direct display of messages on the Telnet session.

       
  6. Ping a host, or start a browser to trigger some events. The syslog messages must appear in the Telnet session window. 

  7. When done, disable this feature with these commands:

  • terminal no monitor    

  

  • no logging monitor

How to Send Syslog Messages to a Syslog Server

The PIX can send syslog messages to any syslog server. If all syslog servers are offline, the PIX stores up to 100 messages in memory. Subsequent messages that arrive overwrite the buffer, starting from the first line.

Perform these steps in order to send messages to a syslog server:

  1. Issue the logging host command in order to designate a host to receive the messages. For example: 

    logging host interface address [ protocol/port ]

     

    Replace interface with the interface on which the server exists, and replace address with the IP address of the host. This is an example for the logging host command:

     

    logging host outside 209.165.201.5

     

    If the syslog server receives messages on a non-standard port, replace the protocol with udp and the port with the new port value. The default protocol is UDP with a default port of 514. Alternatively, specify TCP with a default of 1468. To date, there is only one TCP syslog server, the Cisco PIX Firewall Syslog Server (PFSS). Refer to PIX Firewall Syslog Server (PFSS) for more information.

     

    Only one logging host UDP or TCP command statement is permitted for a specific syslog server. A subsequent command statement overrides the previous one. Issue the write terminal command in order to view the logging host command statement in the configuration. The UDP option displays as 17 and the TCP option displays as 6.

       
  2. Set the logging level with the logging trap command. For example, logging trap debugging

    Note: Cisco recommends that the debugging level is used during initial setup and during testing. Thereafter, set the level from debugging to errors for production use.

       
  3. Set the logging facility command to a value other than the default value of 20 (if necessary). Most UNIX systems expect the messages to arrive at facility 20, which receives the messages in the local4 receiving mechanism. 

  4. Issue the logging on command in order to start sending messages. 

    Note: In order to disable sending messages, issue the no logging on command.

       
  5. Issue the clock set command in order to set the PIX system clock. Issue the logging timestamp command to enable time stamping. For example: 

    clock set 14:25:00 apr 1 1999

     

    logging timestamp

     

    In this example, the clock is set to the current time of 2:25 pm on April 1, 1999, and time stamping is enabled. In order to disable timestamp logging, issue the no logging timestamp command.

       

Note: By default, log messages are sent over UDP using UDP port 514. If there is another application in the network that uses UDP port 514, the log messages do not reach the syslog server. Use a port scanner in the network to ensure that no other application uses UDP port 514, if default options of the logging command are configured.

Refer to these documents for information on how to configure the PIX to send syslog messages to a server or to the console:

For information on how to install PDM, refer to Cisco PIX Device Manager.

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents