Hi Jason and all On PIX Ver. 6.33 you are able to set logging on for your acls. All deny's og Permit's by the ACL will be transmitted via event 106100 . You can also set an interval for how many loglines for the specific ACL. The same way as on the IOS. The way the PIX can suppress an event, that’s cool, but if you are going to use it for forensics you have to have all the logging set to debug. It's fine to get annoying events away from realtime logging. I have build my own Syslog server, where I suppress which log events at the syslog server. I don't want to use geature that the PIX gives me, because I have to track all the events, to make shure, for example to get the statistics for a connection I have to analyze the Trasaltion event, the Connection event and the Teardown event, to have all the information about the source and destion and how many bytes transferred. After that I can log It to the Database. I have been working with the PIX for a couple of years now, and the way that the PIX is logging, what I think, it is by far the best on the market. Checkpoint Firewall's logging capabilities are really bad because it is so undocumented af a mess. To Brian at Cisco : The way that PIX handles to send syslog events via TCP. When the PIX can't se the syslog server by the third retry, then it stops sending syslog messages. Why have you not set up a retry connection, by every x minutes to retry sending syslog messages again. It could be usefull. In older versions of the PIX Software it didn't care about that I could'nt connect to the syslog sesrver via TCP. Regards Jorgen Hoffmeister NeoSec -----Original Message----- From: loganalysis-bounces+jorgen=hoffmeister.dk@private [mailto:loganalysis-bounces+jorgen=hoffmeister.dk@private] On Behalf Of Jason Haar Sent: 23. oktober 2003 05:29 To: loganalysis@private Subject: Re: [logs] firewall logging and rulesets On Wed, Oct 22, 2003 at 05:22:16PM -0400, Brian Ford wrote: > The other thing we did is to allow the suppression of messages based > on the ID. So if you don't like the "Built Dynamic Translation" > message you can make it so your PIX never emits that message again. > And when I say never I mean until you take that line out of the > configuration. But it does I don't want to turn this into a PIX-thread - but I will :-) This feature isn't as great as it seems. To be honest, the PIX still has a ways to go before its ACL support is as good as IOS. Why? Because under IOS you can tell an *individual* ACL whether it's going to log or not. Under the PIX, all you can do is log, or block logging on a "message number" - you can't get any finer grained. e.g. our PIX blocks TONNES of outgoing TCP port 137,139 connections: Windows is TERRIBLE at promiscuously throwing packets about. There is so much that it is causing nothing but grief on our security loggers - so I want to disable them. They come under rule %PIX-4-106023 - but if I disable that, I also lose logging of internal hosts connecting to anything else - such as port 135 - which implies BLASTER. I don't want to miss seeing that, so I can't block %PIX-4-106023... :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Oct 23 2003 - 10:14:54 PDT