Re: [fw-wiz] Not getting all our denied logs from Cisco FWSM

Kim Cary wrote:
While we're slogging through the beauracracy and shell game of our
TAC case at Cisco, I thought I'd ask the list whether any of you have
seen intermittent failures to send 106100 'denied' log entries from
your FWSM. We're on 2.3(3). As it turns out, these entries our
important to our operations and we're only getting about 10% of them.

We don't seem to be able to get around the deny-flow-max default of
4096. One would think that when those flows are exceeded, you would
just get the messages logged, wouldn't you? Am I missing something,
or is the firewall just throwing these away. We don't want it to do

I know Cisco is trying to not pass along a DOS here, but is there any
way to get them to STOP holding my hand and just send the logs?

The really annoying thing is, we get 100% of our 'permitted' 106100,
so I guess if someone is DOS-ing an open port they can get our syslog
server 'dos-ed' too.
firewall-wizards mailing list


That's truly annoying - Cisco makes a lot of presumptions, security
wise, on how things 'should' work to be secure.

That being said - a quick review of the deny-flow-max says that it
tracks those flows (4096 max) over the log interval specified in your
access list, so really you should consider it as a deny-flow-max of 4096
messages / 5 minutes (log interval 300), if you are using the defaults.
In theory, you could squeeze some more 106100 messages out of your
firewall by decreasing the log interval on your deny statements in your
access-list - there's bound to be some dead time when the firewall is
tracking the deny flow but no packets are hitting that flow and it's
just taking a spot that could be cleared for tracking a different deny
flow. I suppose, in theory, you could set the interval to 1 and get a
deny message for almost every single packet, but I hesitate to guess
what that would do to your firewall and your logging infrastructure. :)

Let us know if Cisco comes up with anything for you on getting around
the deny-flow-max of 4096.

I hope this helps!


firewall-wizards mailing list

Relevant Pages

  • Re: [fw-wiz] Cisco 2811 vs. ASA 55xx
    ... Cisco ASA units are the replacements/upgrades for the PIX. ... "Is the lack of flexibility of the ASA justified by the higher performance? ... I'm not real sure what you're trying to do security-wise with a Cisco router that a Cisco firewall appliance cannot do. ...
  • Re: Firewall Hardware and a bit of a Rant
    ... I need advice on which hardware firewall to purchase for a client with 20 users. ... I'm fairly new to SBS and have installed 3 servers. ... Watchguard seem to think they are Cisco and don't have to provide support to smaller IT guys because they are so powerful etc.. ... If my client didn't need web filtering, I'd bang a PIX in and use the Cisco VPN Client for remote access with local database XAuth to provide double authentication. ...
  • RE: Network IDS
    ... I'd say running the same OS for your firewall as your desktop machines ... Subject: Network IDS ... I'm using cisco products: Cisco Secure PIX firewall and Cisco Secure ... > Currently I have been looking at the Symantec Gateway Device. ...
  • Re: ISA and Separating Networks
    ... > You need the switch to connect all the "outsides" together to the inside ... > of the cisco router. ... > firewall and SBS) will be using a private IP range, ...
  • Cisco PIX 515E vs. Fortinet Fortigate-300
    ... Firewall Evaluation ... Cisco PIX 515E vs. Fortinet Fortigate-300 ... Fortigate firewall. ...