Net Report Cisco PIX Configuration Guide for Cisco PIX Firewalls Versions 6.2 and 6.3

Transcription

1 Net Report Cisco PIX Configuration Guide for Cisco PIX Firewalls Versions 6.2 and 6.3 1/62

2 Table of Contents About This Document... 4 Purpose... 4 Technical Specifications... 4 Audience... 4 Related Information... 4 Key Configuration Rules... 4 Two Configuration Solutions to Choose Between... 6 Net Report and Cisco Version-Specific Information... 6 Section 1: Introducing General Required Configuration Guidelines General Guidelines for Configuring Cisco PIX for Net Report Listing Cisco PIX Messages Treated by Net Report Reading Cisco PIX and Catalyst System Log Messages Syslog Messages for Cisco PIX Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & Section 2: Configuration Solution 1: Suppressing Syslog IDs Introduction Launching Cisco PIX Device Manager Selecting Syslog Messages for Suppression Suppressing Syslog Messages Viewing Syslog IDs Suppressed via the Command Line Interface Including Timestamp & Modifying Advanced Syslog Configuration Viewing The Advanced Syslog Configuration Modifications Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages Levels Modifying Net Report Treated Messages Level via PIX Device Manager Viewing The Syslog Messages Level Modifications Modifying Syslog Severity Level Threshold, Including Timestamp & IP Viewing The Severity Threshold & Timestamp Modifications Appendices...46 Appendix A A.1 Introduction /62

3 A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and Appendix B B.1 Introduction B.2 Error Messages Specific to Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 & Contacting Net Report /62

4 Purpose About This Document This Net Report Cisco PIX Configuration Guide explains how to configure Cisco PIX Firewalls Versions 6.2 and 6.3 and Cisco Catalyst versions 2.2 and 2.3 for Net Report. Note: this document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3. Technical Specifications The guidelines given in this document are applicable to the Cisco PIX Device Manager (PDM) version 3.0. The Cisco PIX Device Manager is a browser-based configuration tool designed to help you set up, configure and monitor your PIX Firewall graphically. Audience Copyright Notice: This document addresses both basic and advanced Net Report users. This Guide is also written for System Administrators who are responsible for maintaining network security. It assumes you have a basic understanding and a working knowledge of: Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3. System Administration. Unix or Windows Operating Systems. Windows GUI. Internet protocols (IP, TCP, UDP and so on). Related Information Please read the following documents which are related to Net Report s technical documentation: Code and Icon Conventions: Online Help: Troubleshooting: Glossary: Key Configuration Rules 4/62

5 For Net Report to treat your Syslog Messages and Flat Files, please note the following general key points: It is mandatory to check the Include Timestamp check box in the PIX Device Manager, to ensure that the Timestamp (date and time) is added to the beginning of each message. 1. If you want Net Report to analyze the Flat File, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi, a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): :59:46 Local4.Info Feb :52:40: %PIX : Deny TCP (no connection) from /1206 to /1070 flags PSH ACK on interface inside b. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): :06:10 UTC,Local4.Info, ,Feb :04: : %PIX : Built outbound TCP connection 8893 for outside: /80 ( /80) to inside: /2902 ( /2902) 5/62

6 Two Configuration Solutions to Choose Between This document explains how to reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information. Note: if you want Net Report to treat your Syslog Messages directly then you do not necessarily need to apply either Configuration Solution 1 or 2. However, doing so will improve the performance of Net Report s treatment. The document proposes two Configuration Solutions. Please choose the solution which is the most appropriate for your company s IT Security Policy: Configuration Solution 1: Reduce the Number of Syslog Messages Written in the Flat Files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM). Configuration Solution 2: Specify the Severity Level Threshold and Modify Certain Messages Severity Levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3. Important: if you want to use Cisco PIX with Oracle, please see: Knowledge Base Article 58. Net Report and Cisco Version-Specific Information This document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3. Messages from versions prior to these versions are considered beyond the scope of this document and are not supported by Net Report 3.12 and later. Please read Section 1 before continuing with either Configuration Solution 1 or Configuration Solution 2. 6/62

7 Section 1: Introducing General Required Configuration Guidelines 1.1. General Guidelines for Configuring Cisco PIX for Net Report To configure Cisco PIX for Net Report it is important to note the following five essential configuration rules: Include the Syslog Message Timestamp Parse Syslog Messages to Specific Flat File Formats Reduce the Number of Syslog Messages Analyzed by Net Report Associate an IP Address with a Hostname Choose between Two Different Configuration Solutions 7/62

8 Five General Configuration Rules for Configuring Cisco PIX for Net Report 1. Include the Syslog Message Timestamp: all System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. Check the Include Timestamp check box in the PIX Device Manager. This adds the Timestamp prefix to the beginning of the Syslog message indicating what time the event occurred. 2. Export Syslog Messages to Specific Flat File Formats: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi, a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) 8/62

9 b. Net Report parses the Syslog Message itself (in bold in this example, indicated in green font in the screen shot below): :59:46 Local4.Info Feb :52:40: %PIX : Deny TCP (no connection) from /1206 to /1070 flags PSH ACK on interface inside c. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): :06:10 UTC,Local4.Info, ,Feb :04: : %PIX : Built outbound TCP connection 8893 for outside: /80 ( /80) to inside: /2902 ( /2902) 3. Reduce the Number of Syslog Messages Analyzed by Net Report: to improve performance, reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information. This document presents two solutions for reducing the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information. 4. Associate an IP Address with a Hostname: certain Cisco PIX messages (notably Message ) provide a hostname for the source/destination (instead of an IP Address) which is associated with an IP Address in the Pix Device Manager. These messages must be modified to associate the Hostname with the IP Address to obtain the correct data for the Cisco PIX statistics. Net Report recommend either associating the hostname to the IP addresses defined in the PIX Device Manager, or activating and correctly defining the RDNS function (which associates an IP with a hostname) for the IP Addresses concerned. Please note and example the first solution we recommend, that is associating a hostname with an IP Address via the PIX Device Manager: 9/62

10 i. Select Configuration> Hosts/Networks in the PIX Device Manager. ii. iii. Select inside: any> [IP] > [IP Address] in the left Hosts/Networks pane. Double-click the IP Address to modify. The Edit host/network dialog box appears. Select the Basic information tab. iv. Enter the Hostname you want to associate with the IP Address in the Name (Recommended) field. In this example, your_hostname. v. Click OK. The Hostname appears to the left of the IP Address you modified in the left Hosts/Networks pane. In this example your_hostname [IP Address] 10/62

11 5. Choose between Two Different Configuration Solutions: please note the information in Section 1 concerning the Cisco PIX messages treated by Net Report before moving on to choose either Configuration Solution 1 (see Section 2) or Configuration Solution 2 (see Section 3) to configure Cisco PIX for Net Report. Net Report treat a certain number of Syslog Messages, the list of these messages is included in this section. The exhaustive descriptions of each Syslog Message treated by Net Report are included at the end of this document. 11/62

12 Two Syslog Message Configuration Solutions to Choose between The document proposes two solutions. Please choose the solution which is the most appropriate for your company s IT Security Policy: Either Solution 1: Reduce the number of Syslog Messages written in the flat files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM). See Section 2. Or: Solution 2: Specify the severity level threshold and modify certain messages severity levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3. See Section 3. 12/62

13 1.2. Listing Cisco PIX Messages Treated by Net Report The System Log messages in this section apply to Cisco PIX Firewall Version 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3 and Net Report Cisco PIX Net Report 3.12 and later. Please see Article 59 for the exhaustive list of Cisco PIX and Catalyst System Log messages supported by Net Report. Net Report supports the following System Log Messages: System Log Messages specific to Cisco PIX Firewall Versions 6.2 and 6.3 (please see Section 1.1). System Log Messages for both Cisco PIX Firewall Versions 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.2). System Log Messages specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.3). Note: neither Cisco PIX nor Cisco Firewall Services Module do not send severity 0, emergency messages to Syslog. These are comparable to a UNIX panic message and indicate an unstable system. 13/62

14 1.3. Reading Cisco PIX and Catalyst System Log Messages System log messages received at a Syslog server for treatment by Net Report begin with the Timestamp are followed Firewall IP Address and then a percent sign (%). The messages are structured as follows: [Timestamp] [Firewall_IP_Address]:%[PIX][FWSM] Level Message_number: Timestamp: identifies the time the event occurred. For Net Report, you must check the Include Timestamp Check Box (select Configuration> Syslog Properties, then Logging> Syslog in the Categories pane and select the Include Timestamp). Firewall_IP_Address: identifies the Firewall IP Address. Please see the following sub-sections for more information. PIX: identifies the message facility code for messages generated by the PIX Firewall. FWSM: identifies the message facility code for messages generated by the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System. Level: reflects the severity of the condition described by the message. The lower the number the more severe the condition/ Logging is set to level 3 (error) by default. Message_number: is the numeric code that uniquely identifies the message. message_text: is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers or user names. Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 1.1). Note: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, an example of a log generated via Kiwi. Flat File Format Example: the log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): :59:46 Local4.Info Feb :52:40: %PIX : Deny TCP (no connection) from /1206 to /1070 flags PSH ACK on interface inside 14/62

15 Cisco PIX Level Description Table The table below defines the Keyword and Description associated with each Cisco PIX Level Number, as defined by Cisco Systems. Level Number Level Keyword Description 1 Alert Immediate action needed. 2 Critical Critical condition. 3 Error Error condition. 4 Warning Warning condition. 5 Notification Normal but signifiant condition. 6 Informational Informational message only. 7 Debugging Appears during debugging only. 15/62

16 1.4. Syslog Messages for Cisco PIX Syslog Default Error Message Message Number %PIX : protocol request discarded from source_address to interface_name:dest_address * All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. Severity Level & Keyword 7 = debugging ** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. 16/62

17 1.5. Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 Syslog Default Error Message Message Number %PIX : Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name %PIX : protocol Connection denied by outbound list acl_id src inside_address dest outside_address %PIX : Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name %PIX : Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response Query}. %PIX : Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port %PIX : Deny IP from IP_address to IP_address, IP options hex %PIX : Dropping echo request from IP_address to PAT address IP_address %PIX : Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec) %PIX : Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name %PIX : Deny IP spoof from (IP_address) to IP_address on interface interface_name. Severity Level & Keyword 2 = critical 2 = critical 2 = critical 2 = critical 3 = error 2 = critical 2 = critical 3 = error 6 = informational 2 = critical %PIX : Deny IP due to Land Attack from IP_address to IP_address 2 = critical %PIX : ICMP packet type ICMP_type denied by outbound list acl_id src inside_address dest outside_address 2 = critical %PIX : Deny IP teardrop fragment (size = 2 = critical number, offset = number) from IP_address to IP_address %PIX : Deny protocol reverse path check 1 = alert from source_address to dest_address on interface interface_name %PIX : Deny protocol connection spoof from 1 = alert 17/62

18 source_address to dest_address on interface interface_name %PIX : Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id %PIX : Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port %PIX : Built {inbound outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)] %PIX : Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)] %PIX : Built {inbound outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port)[(user)] %PIX : Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)] %PIX : Denied ICMP type=number, code=code from IP_address on interface interface_name %PIX : Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name %PIX : Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port %PIX : {TCP UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service %PIX : {TCP UDP} request discarded from source_address/source_port to interface_name:dest_address/service 4 = warning 6 = informational 6 = informational 6 = informational 6 = informational 6 = informational 3 = error 5 = notification 4 = warning 3 = error 7 = debugging 18/62

19 * All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. ** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. 19/62

20 1.6. Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 Syslog Default Error Message Message Number %FWSM : Built {in out}bound ICMP connection for faddr {faddr icmp_seq_num } gaddr {gaddr cmp_type} laddr laddr %FWSM :Denied ICMP type=icmp_type, from src_ip_address on interface intf_name to dest_ip_address:no matching session Severity Level & Keyword 6 = informational 4 = warning *All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. ** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. *** FWSM: Firewall Services Module System 20/62

21 Section 2: Configuration Solution 1: Suppressing Syslog IDs 2.1. Introduction Please follow the steps below to reduce the number of Syslog messages sent to the output location: 2.2: Launching Cisco PIX Device Manager : Selecting Syslog Messages for Suppression. 2.4: Suppressing Syslog Messages that are not treated by Net Report. 2.5: Viewing Syslog Messages that were suppressed, via the Command Line Interface. 2.6: Including a Timestamp in Syslog Messages & Modifying Advanced Syslog Configuration. 2.7: Viewing Modifications Made to the Advanced Syslog Configuration via the Command Line Interface. Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 2.6). 21/62

22 2.2. Launching Cisco PIX Device Manager 3.0 Steps Use a PC connected to one of the PIX Firewall switch ports and enter the URL Either leave both the Username and Password dialog boxes empty or enter your password. Press Enter. Accept the certificates, click Authorize. Enter your Network Password. Click Yes. The Cisco PIX Device Manager 3.0 console appears. 22/62

23 2.3. Selecting Syslog Messages for Suppression Solution 1 explains how to suppress those Syslog messages which are not treated by Net Report in order to reduce the volume of Syslog messages treated. The following steps therefore explain how to select the messages which Net Report does not treat and then how to suppress these messages. Steps Select Configuration> System Properties. The System Properties tab appears in the central pane. 23/62

24 Select Logging> Setup in the left Categories pane. Note the Logging Setup parameters appears in the System Properties tab s Logging Setup pane. Select the Enable logging check box and View all Syslog IDs in the Syslog ID Table View drop-down list. Select all the Syslog IDs in the Syslog ID list with the mouse. All the Syslog IDs will be highlighted in white. Press Ctrl and click with the mouse on those Syslog IDs supported by Net Report to clear them (the rows selected will become grey) clear the following Syslog IDs: , , , , , , , , , , , , , , , , , , , , , , , , , /62

25 Note: the Syslog IDs listed above will return to grey when you clear their selection. Click Edit. The Edit dialog box appears. 25/62

26 2.4. Suppressing Syslog Messages Steps Note the Syslog IDs you selected to be suppressed in the previous Logging Setup pane in the Syslog ID(s) box. Select the Suppress Message(s) check box. Click OK. The Logging Setup tab appears. 26/62

27 Click Apply. The Status message appears. Select View suppressed Syslog IDs only in the System Properties tab s Syslog ID Table View drop-down list, to view the list of Syslog IDs you suppressed. 27/62

28 2.5. Viewing Syslog IDs Suppressed via the Command Line Interface To view the Syslog IDs you suppressed via the Command Line Interface, please follow the steps below: Steps 1. Select Tools> Command Line Interface The Command Line Interface dialog box appears. 28/62

29 2. Enter the following Command in the Command field: show running-config 3. Click Send. 4. Note the Response in the lower half of the Command Line Interface dialog box. All the Syslog IDs you suppressed in the Logging Setup pane and Edit dialog box appear as follows: no logging message [SyslogID] 5. Click Close. 29/62

30 2.6. Including Timestamp & Modifying Advanced Syslog Configuration To include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below. Steps Select Configuration> System Properties, the System Properties tab appears. Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab. Ensure the Include Timestamp check box is selected. Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is logging timestamp or set logging timestamp enable. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable. 30/62

31 Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation. Click Advanced The Advanced Syslog Configuration dialog box appears. Select the Enable Syslog Device ID check box. Select the IP Address option button along with the Interface Name you want to appear in the Syslog message. Click OK. Click Apply. The Status message appears. 31/62

32 32/62

33 2.7. Viewing The Advanced Syslog Configuration Modifications Steps 1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears. 33/62

34 2. Enter the following Command in the Command field: show running-config 3. Click Send. 4. Note the Response in the lower half of the Command Line Interface dialog box, notably logging timestamp. Status: Configuration Solution 1 has been successfully accomplished. You have suppressed the Syslog IDs that Net Report does not treat and ensured that only those Syslog Messages which Net Report treats will be written in the flat file. 34/62

35 Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages Levels Introduction Solution 2 specifies the severity level threshold in the Cisco PIX Device Manager 3.0 to Level 3 (error), to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 3.3). The level you specify (i.e. level 3) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, then the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 6 will be modified to ensure that the Logging level is changed to Logging level 3. Contents The following tasks will be explained and must be followed in the following order: 3.1: Modifying the logging level of Syslog Messages treated by Net Report via the PIX Device Manager 3.2: Viewing the Syslog Messages Level Modifications via the Command Line Interface. 3.3: Modifying the Syslog Severity Level Threshold, Including the Timestamp and Firewall IP Address. 3.4: Viewing the Severity Level Threshold, Timestamp and Advanced Syslog Configuration Modifications via the Command Line Interface. 35/62

36 3.1. Modifying Net Report Treated Messages Level via PIX Device Manager To modify the level of those messages which Net Report treats which are Level 4-7 to Level 3, please follow the steps below: Steps Select Configuration> System Properties. The System Properties tab appears. Select Logging> Logging Setup in the left Categories pane. The Logging Setup pane appears. Select View all syslog IDs in the Syslog ID Table View drop-down list. Select the Syslog IDs for those Syslog Messages treated by Net Report with levels 4-7 in the Syslog list: , , , , , , , , , , /62

37 Note that the Syslog IDs selected will appear highlighted in white. Click Edit. The Edit dialog box appears. Note the Syslog IDs you selected in the previous Logging Setup pane appear in the Syslog ID(s) field. Select Errors in the Logging Level drop-down list. Click OK. The Logging Setup pane reappears. 37/62

38 Click Apply. The Status message appears. 38/62

39 3.2. Viewing The Syslog Messages Level Modifications Steps Select Tools> Command Line Interface. The Command Line Interface dialog box appears. 39/62

40 1. Enter the following Command in the Command field: show running-config 2. Click Send. Note the Response in the lower half of the Command Line Interface dialog box. Indicating that the level of those Syslog Messages treated by Net Report with level 4 7 have been successfully modified to level 3 errors. With the Response: logging message [SyslogID] level errors 40/62

41 3.3. Modifying Syslog Severity Level Threshold, Including Timestamp & IP To modify the Syslog Severity Level Threshold from the default Debugging level to the new threshold level 3 (error), include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below. Steps Select Configuration> System Properties, the System Properties tab appears. Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab. Select Errors in the Level drop-down list. Ensure the Include Timestamp check box is selected. 41/62

42 Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is logging timestamp or set logging timestamp enable. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable. Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation. Click Advanced The Advanced Syslog Configuration dialog box appears. Select the Enable Syslog Device ID check box. 42/62

43 Select the IP Address option button along with the Interface Name you want to appear in the Syslog message. Click OK. Click Apply. The Status message appears. 43/62

44 3.4. Viewing The Severity Threshold & Timestamp Modifications Steps 1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears. 44/62

45 5. Enter the following Command in the Command field: show running-config 6. Click Send. 7. Note the Response in the lower half of the Command Line Interface dialog box, notably logging timestamp and logging trap errors. Status: Configuration Solution 2 has been successfully accomplished! 45/62

46 Appendices 46/62

47 This Lexicon comprises the following two sections: Appendix A: The List of Cisco PIX versions 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report Appendix B: List of Error Messages Only Concerning Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report. 47/62

48 Appendix A A.1 Introduction The messages shown in this Lexicon, apply to Cisco PIX Firewall Version 6.2 and 6.3 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3. Please note that the Explanations given below follow the official explanations given by Cisco Systems. Those Error Messages which are specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 are explained in Section 2. A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and Error Message %PIX : protocol request discarded from source_address to interface_name:dest_address Explanation This message appears when the firewall does not have an IP server that services the IP protocol request; for example, the firewall receives IP packets that are not TCP or UDP, and the firewall cannot service the request. Recommended Action In networks that heavily use multicasting, the frequency of this message can be high. If this message appears in an excessive number, it may indicate an attack. 48/62

49 A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and Error Message %PIX : Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it as dropped. The tcp_flags in this packet were FIN and ACK. The tcp_flags are as follows: ACK The acknowledgement number was received. FIN Data was sent. PSH The receiver passed data to the application. RST The connection was reset. SYN Sequence numbers were synchronized to start a connection. URG The urgent pointer was declared valid Error Message %PIX : protocol Connection denied by outbound list acl_id src inside_address dest outside_address Explanation This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable can be ICMP, TCP or UDP. Recommended Action Use the show outbound command to check outbound lists Error Message %PIX : Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name. 49/62

50 Explanation This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy Error Message %PIX : Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response Query}. Explanation This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied. Recommended Action If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most probable cause is that a DNS server was too slow to respond and the query was answered by another server Error Message %PIX : Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port Explanation This is a connection-related message. This message is logged if an inbound connection is denied by your security policy. Recommended Action Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator Error Message %PIX : Deny IP from IP_address to IP_address, IP options hex. Explanation 50/62

51 This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded. Recommended Action Contact the remote host system administrator to determine the problem. Check the local site for loose source or strict source routing Error Message %PIX : Dropping echo request from IP_address to PAT address IP_address Explanation This message is logged when the firewall discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet cannot specify which PAT host should receive the packet Error Message %PIX : Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec) Explanation This message is logged when the firewall denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly Error Message %PIX : Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name. Explanation This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit s connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet. Recommended Action 51/62

52 None required, unless the firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent Error Message %PIX : Deny IP spoof from (IP_address) to IP_address on interface interface_name. Explanation This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following: Loopback network ( ) Broadcast (limited, net-directed, subnet-directed, and all subnets-directed) The destination hosts (land.c) If the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message. To enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly. Recommended Action Determine if an external user is trying to compromise the protected network. Check for misconfigured clients. 52/62

53 Error Message %PIX : Deny IP due to Land Attack from IP_address to IP_address Explanation This message appears when the firewall receives a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land Attack. Recommended Action If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates Error Message %PIX : ICMP packet type ICMP_type denied by outbound list acl_id src inside_address dest outside_address Explanation This message is logged because the outgoing ICMP packet with type ICMP_type from local host inside_address to foreign host outside_address is denied by outbound list acl_id Error Message %PIX : Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address Explanation The firewall discarded an IP packet with teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the firewall or an Intrusion Detection System. Recommended Action Contact the remote peer administrator or escalate this issue according to your security policy /62

54 Error Message %PIX : Deny protocol reverse path check from source_address to dest_address on interface interface_name Explanation Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall. Recommended Action This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the firewall checks packets arriving from the outside. The firewall looks up a route based on the source_address. If an entry is not found and a route is not defined, then this Syslog message appears and the connection is dropped. If there is a route, the firewall checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The firewall does not support asymmetric routing. If configured on an internal interface, the firewall checks static route command statements or RIP and if the source_address is not found, then an internal user is spoofing their address. An attack is in progress. With this feature enabled, no user action is required. The firewall repels the attack Error Message %PIX : Deny protocol connection spoof from source_address to dest_address on interface interface_name Explanation This message only appears if a connection exists and a packet matching the connection arrives on a different interface than the interface the connection began on. For example, if a user starts a connection on the inside interface, but the firewall detects the same connection arriving on a perimeter interface, the firewall has more than one path to a destination. This is known as asymmetric routing and is not supported don the firewall. 54/62

55 Alternatively, an attacker is attempting to append packets from one connection to another as a means of breaking into the firewall. In either case, the firewall displays this message and drops the connection. Recommended Action This message appears when the ip verify reverse-path command is not configured. Ensure routing is not asymmetric Error Message %PIX : Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id Explanation An IP packet was denied by the ACL. This message will be displayed even if you do not have the log option enabled for an ACL. Recommended Action If messages persist from the same source address, then the messages could indicate a foot printing or port scanning attempt. Contact the remote host administrators. 55/62

56 Error Message %PIX : Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port Explanation This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other PIX Firewall. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address behind the PIX Firewall on the higher security level interface Error Message %PIX : Built {inbound outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)] Explanation A TCP connection slot between two hosts was created. Where: connection number is a unique identifier. interface, real_address, real_port identify the actual sockets. mapped_address, mapped_port identify the mapped sockets. user is the AAA name of the user. If inbound is specified, then the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection was initiated from the inside Error Message %PIX : Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)] 56/62

57 Explanation A TCP connection between two hosts was deleted. Where: connection number is a unique identifier. interface, real_address, real_port identify the actual sockets. time is the lifetime of the connection bytes number is the data transfer of the connection user is the AAA name of the user The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed below: Reason Reset-I Reset-O TCP FINs FIN Timeout SYN Timeout Xlate Clear Deny SYN Control Uauth Deny Unknown Conn-timeout Description Reset was from the inside. Reset was from the outside. Normal close down sequence. Force termination after 15 seconds await for last ACK. Force termination after two minutes awaiting three-way handshake completion. Command-line removal. Terminate by application inspection. Back channel initiation from wrong side. Deny by URL filter. Catch-all error. Connection was torn down because it was idle longer than the configured idle timeout Error Message %PIX : Built {inbound outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to 57/62

58 interface_name:real_address/real_port (mapped_address/mapped_port)[(user)] Explanation A UDP connection slot between two hosts is created. See the following descriptions: - connection number a unique identifier. - interface, real_adddress, real_port The actual sockets. - mapped_address and mapped_port The mapped sockets. - user The AAA name of the user. If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside Error Message %PIX : Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)] Explanation A UDP connection slot between two hosts was deleted Where: connection number is a unique identifier. interface, real_address, real_port identify the actual sockets. time is the lifetime of the connection bytes bytes is the data transfer of the connection user is the AAA name of the user 58/62

59 Error Message %PIX : Denied ICMP type=number, code=code from IP_address on interface interface_name Explanation When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the firewall discards the ICMP packet and generates this Syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the firewall cannot be detected on the network. This feature is also referred to as configurable proxy pinging. Recommended Action Contact the administrator of the peer device Error Message %PIX : Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name Explanation This message indicates that a header length in TCP is incorrect. Some operating systems do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled socket. If a client tries to connect to an FTP server outside the PIX Firewall and FTP is not listening, then the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes this problem. UDP uses ICMP port unreachable messages Error Message %PIX : Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port Explanation This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP Error Message 59/62