ASA logging

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

So lets say u had a cisco ASa as your internal firewall, with an any any rule for ip (so everything) - this was being closed down but alot of traffic is useing this rule. Is it possible to just log on this one rule rule through syslog? or is syslog going to capture all the traffic for everything and then it would be a matter of going through it ? basically i want to do this over 48 hours, at the moment i'm just letting live logging rack up on a differant machine and was going to go through that (specific for that rule)
any ideas?

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Yes, you can log matches against a line in an access list - just add log at the end of the line. There are plenty of options if you want to fine tune the logging parameters, but simply adding "log" and sending it all to a syslog server is very easy. If the line is permit ip any any log, then of course you will be logging every packet, which is probably not a good idea, unless traffic is light.

I'm not sure from you question, but it seems that you have an access list that permits everything, and you are trying to lock it down, and want an idea of what legitimate traffic you'll need to permit. If so, I'd suggest making an access list that covers everything you can think of that is legitimate (e.g. smtp, http, ntp, etc). Then add permit statements with logging to catch the rest of the traffic. I often break it down a bit more specificly, e.g. instead of permit ip any any log I use permit tcp any any log, permit udp any any log, etc.

Also, keep in mind you can log policy entries as well, if needed - for example, maybe you have an http policy that blocks apps tunneling through http - you can log that if needed.

Spice_Weasel

 

thanks dude !

 

Hi,

If you install the ASDM software you can easily see what traffic is passing through your firewall, including all the catch-all. Alternately, say you wanted to see what was hitting your outside interface, you could configure a capture list tied to an ACL to grab that traffic, bind that to the OUTISDE interface and then parse it to the .pcap format and then view it in WireShark – all this is free!! Can’t be bad.


HTH