RE: [fw-wiz] Appropriate PIX logging level

Hi guys,

as well as those of us who are *not* guys, i hope ;-)

At a minimum I think we should be logging and analyzing: date/time,
interface(s), src/dst IP, src/dst port, proto, allow/deny,
rule applied
(, other?). Does that seem right? What about SYN/ACK and so on?

here's one point to consider. it sounds like you're focussing only on the
logs of network traffic in the vicinity of your PIX. but keep in mind that
if it's correctly configured to allow only the traffic required by your
business requirements, then the traffic logs aren't particularly
interesting, or at least aren't obviously the best place to start.

i'm always more interested in capturing logs of administrative activity on
my firewall (in particular, changes to the access control configuration);
login attempts on the firewall; unexpected reboots etc.

you might be interested in the firewall logging doc that i compiled and
co-wrote, with heaps of assistance from chris brenton and a couple of other
folks. brian ford .... oh brian ford ... where's my PIX contribution???

(beware the evil line wrap)

cheers - tbird

firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Home Environment Cisco
    ... On Sat, 31 May 2003, Brian Ford wrote: ... > out of the ordinary is going / coming from my network. ... > what to look for in those logs. ... extracting information from firewall logs. ...
  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
  • Re: Winvnc hack! [25 KB]
    ... came in from a service such as IIS that logs IP address. ... Check your IIS ... Some firewall software such as ... You can also use the NETSTAT -A command that comes with Windows to look at ...
  • RE: [fw-wiz] Log checking?
    ... tend to evaluate where and what logging is important in a different light. ... I've been happy to analyze a year's worth of firewall denied logs, ... have denied firewall traffic logs or denied logs with any relevant data. ...
  • Re: false portscan alarm
    ... What is the reason of that treffic? ... and the browser and/or the "personal firewall" had decided to close those ... which each have a local source port above 1024 opened outgoing to port 80 ... I've had a dig through my own PIX logs, and while there is nothing for today ...