Re: [fw-wiz] Not getting all our denied logs from Cisco FWSM



Kim Cary wrote:
While we're slogging through the beauracracy and shell game of our
TAC case at Cisco, I thought I'd ask the list whether any of you have
seen intermittent failures to send 106100 'denied' log entries from
your FWSM. We're on 2.3(3). As it turns out, these entries our
important to our operations and we're only getting about 10% of them.

We don't seem to be able to get around the deny-flow-max default of
4096. One would think that when those flows are exceeded, you would
just get the messages logged, wouldn't you? Am I missing something,
or is the firewall just throwing these away. We don't want it to do
that!!

I know Cisco is trying to not pass along a DOS here, but is there any
way to get them to STOP holding my hand and just send the logs?

The really annoying thing is, we get 100% of our 'permitted' 106100,
so I guess if someone is DOS-ing an open port they can get our syslog
server 'dos-ed' too.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Kim,

That's truly annoying - Cisco makes a lot of presumptions, security
wise, on how things 'should' work to be secure.

That being said - a quick review of the deny-flow-max says that it
tracks those flows (4096 max) over the log interval specified in your
access list, so really you should consider it as a deny-flow-max of 4096
messages / 5 minutes (log interval 300), if you are using the defaults.
In theory, you could squeeze some more 106100 messages out of your
firewall by decreasing the log interval on your deny statements in your
access-list - there's bound to be some dead time when the firewall is
tracking the deny flow but no packets are hitting that flow and it's
just taking a spot that could be cleared for tracking a different deny
flow. I suppose, in theory, you could set the interval to 1 and get a
deny message for almost every single packet, but I hesitate to guess
what that would do to your firewall and your logging infrastructure. :)

Let us know if Cisco comes up with anything for you on getting around
the deny-flow-max of 4096.

I hope this helps!

--Jason



_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards