RE: [fw-wiz] Appropriate PIX logging level

From: "Paul Melson" <pmelson@xxxxxxxxx>
Date: Tue, 2 May 2006 14:09:25 -0400

-----Original Message-----
Subject: Re: [fw-wiz] Appropriate PIX logging level

David Lang wrote:

I was actually just starting to look into this, I'm being blasted by
the messages from the pix when it rejects a broadcast packet (I'm
getting 43,000 log entries per day based on the firewalls rejecting
each server that's in a HA configuration and useing broadcast udp
packets for their heartbeat, that adds up to a LOT of log entries when
there are several dozen such clusters)

If what you need is for the PIX to handle but not log certain policy events,
use 'log disable' in your ACLs:

access-list acl_inside deny udp any 10.0.255.255 eq 694 log disable

But, I think this is a bad idea for a number of reasons. First, this is not
a lot of data. 43K syslog events from a PIX is going to be less than 10MB
of actual data before parsing or compression. Even on a P2 running NT and
Kiwi, this is not a lot of data.

Second, making these events disappear will skew any firewall performance
statistics that you may want to do with these logs.

Third, even if these events aren't individually important, the volume of
them could be, specifically drastic and sudden changes in that volume.

Log data is all contextual. To throw out even mundane events is to
literally miss the whole picture and will probably come back to bite you
later. Just my unsolicited $0.02.

PaulM

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] Appropriate PIX logging level
  - From: Tichomir Kotek
- RE: [fw-wiz] Appropriate PIX logging level
  - From: David Lang

References:
- Re: [fw-wiz] Appropriate PIX logging level
  - From: Marcus J. Ranum

Prev by Date: [fw-wiz] minirsyslogd (was Appropriate PIX logging level)
Next by Date: Re: [fw-wiz] Appropriate PIX logging level
Previous by thread: Re: [fw-wiz] Appropriate PIX logging level
Next by thread: RE: [fw-wiz] Appropriate PIX logging level
Index(es):
- Date
- Thread

Relevant Pages

SV: Firewall Basics
... based firewalls since having two PIX firewalls would leave you vulnerable to ... the same exploits if a hole in PIX was found. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
(Security-Basics)
RE: [fw-wiz] Strange Pix behavior.
... I'm sure I've seen it on a single PIX 515E as recently as ... TCP protocols that have longer connection lives such as FTP or SSH. ... in a variety of firewalls, many of which were standalone systems. ...
(Firewall-Wizards)
Re: Choosing a Firewall
... > firewalls. ... We currently have a PIX 506e and seem to be running into some ... If you need to setup PPTP to the firewall, WG makes it simple to setup ... If you need branch-office ipsec dedicated tunnels, ...
(comp.security.firewalls)
Re: pix firewall setup help.
... > I am new to working with firewalls. ... I have just purchased the cisco pix 506E. ... I am wondering how i could setup the network to allow the ... > establish vpn connections from the internet to the pix machine. ...
(comp.security.firewalls)
Re: internal firewall suggestions required
... There are noticable differences between the FWSM and PIX. ... VPN in a separate module is not a bad idea. ... Many of the other firewalls ...
(comp.security.firewalls)