Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
1
Replies

Disable audit-trail for icmp packets in CBAC logging

Go to solution
filippos111
Level 1
Level 1

‎03-24-2013 02:20 AM - edited ‎03-07-2019 12:26 PM

Hi folks,

I have a cisco 2811 router set up as a nat/firewall gateway for my network. I've configured it for CBAC on using ip inspect and an access list.

What I want is to use audit-trail to record network traffic (which means sending syslog messages to a server) concerning established sessions from my own network to locations in the outside.

If i configure this using ip inspect audit-trail and no ip inspect alert-off, the configuration looks like this:

Session audit trail is enabled

Session alert is enabled

one-minute (sampling period) thresholds are [400:500] connections

max-incomplete sessions thresholds are [400:500]

max-incomplete tcp connections per host is 50. Block-time 0 minute.

tcp synwait-time is 30 sec -- tcp finwait-time is 5 sec

tcp idle-time is 3600 sec -- udp idle-time is 30 sec

dns-timeout is 5 sec

Inspection Rule Configuration

Inspection name FIREWALL

    http alert is on audit-trail is on timeout 3600

    https alert is on audit-trail is on timeout 3600

    smtp max-data 20000000 alert is on audit-trail is on timeout 3600

    imap alert is on audit-trail is on timeout 3600

    pop3 alert is on audit-trail is on timeout 3600

    pop3s alert is on audit-trail is on timeout 3600

    igmpv3lite alert is on audit-trail is on timeout 30

    icmp alert is on audit-trail is on timeout 10

    ntp alert is on audit-trail is on timeout 30

    ssh alert is on audit-trail is on timeout 30

    sshell alert is on audit-trail is on timeout 30

    tcp alert is on audit-trail is on timeout 3600

    udp alert is on audit-trail is on timeout 30

    dns alert is on audit-trail is on timeout 30

which works just fine, but there is the matter of icmp packets.

Since i use polling software that needs to check some machines in the outside part of the network, it is only natural that several icmp sessions are established through the Inspection Rule per minute. The problem is that since these sessions are recorded along with everything else, my syslogs are flooded with these (since i am using logging trap informational) to the point that more messages are generated about icmp than all other traffic combined, especially in non-working hours.

What I am asking is a way for the audit-trail to be selecively disabled for icmp, so that the outgoing (echo) &incoming (echo reply) sessions can be established without generating syslog messages.

Thanks in advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9

‎03-24-2013 04:04 AM

hi,

could you try in global config:

ip inspect name FIREWALL alert on audit-trail off timeout 10

View solution in original post

0 Helpful
1 Reply 1

Go to solution
johnlloyd_13
Level 9
Level 9

‎03-24-2013 04:04 AM

hi,

could you try in global config:

ip inspect name FIREWALL alert on audit-trail off timeout 10

0 Helpful
Customers Also Viewed These Support Documents