Odd PIX syslog Message with Web Sense

Unanswered Question
Nov 12th, 2008
User Badges:
  • Bronze, 100 points or more

I have two pairs of firewalls that are both running 7.2(4). One platform is a pair of PIX 515E and the other is a pair of ASA 5520s.


We are using Web Sense to filter a subset of addresses.


The 5520s generate a log message (ASA-5-304001) whenever a host identified by the "filter URL " command accesses a web page. It only generates this message for filtered hosts.


Now, my PIX 515E with 7.2(4) is generating the same message (PIX-5-304001

), but there are no Filter commands implemented on this firewall. We used to filter traffic through it via Web Sense, but stopped maybe 9-10 months ago. The firewalls have been restarted since then.

I verified that there are no filter statments in the config and even removed the url-server definition. Still, the firewall generates a message whenever anyone accesses a web page. Any ideas why?


Relevant ASA config:

filter url http 10.220.34.0 255.255.255.0 0.0.0.0 0.0.0.0 allow

filter url http 10.20.25.92 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.49.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.50.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.51.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.52.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.53.109 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.54.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.58.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.59.102 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.60.10 255.255.255.255 0.0.0.0 0.0.0.0 allow

filter url http 10.20.63.90 255.255.255.255 0.0.0.0 0.0.0.0 allow

url-server (inside) vendor websense host 10.1.1.35 timeout 10 protocol UDP version 4


logging enable

logging timestamp

logging buffered alerts

logging trap notifications

logging history notifications

logging asdm errors

logging facility 18

logging host inside 10.1.1.55

logging host inside 10.1.1.74



Relevant PIX Config:

host# sh run filter

host# sh run url-server

host# sh run logging

logging enable

logging timestamp

logging buffered alerts

logging trap notifications

logging history notifications

logging asdm errors

logging facility 19

logging host inside 10.1.1.55

logging host inside 10.1.1.74

no logging message 106007

no logging message 210005

logging message 111008 level warnings



I have a reboot scheduled of the PIXs tonight to see if it clears it up. Does anyone have any other inside as to why the PIX is creating all of these extra log messages? Thanks!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
didyap Tue, 11/18/2008 - 07:26
User Badges:
  • Silver, 250 points or more

Enable or disable outbound URL filtering for use with WebSENSE servers. (Configuration mode.)


filter url http|except local_ip local_mask foreign_ip foreign_mask [allow]

no filter url http|except [local_ip local_mask foreign_ip foreign_mask]

show filter

Syntax Description

url Filter URLs (Universal Resource Locators) from data moving through the PIX Firewall.

http Filter HTTP (World Wide Web) URLs.

except Create an exception to a previous filter condition.

local_ip The IP address of the highest security level interface from which access is sought. You can set this address to 0.0.0.0 (or in shortened form, 0) to specify all hosts.

local_mask Network mask of local_ip. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_ip The IP address of the lowest security level interface to which access is sought. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

foreign_mask Network mask of foreign_ip. Always specify a specific mask value. You can use 0.0.0.0 (or in shortened form, 0) to specify all hosts.

allow When the server is unavailable, let outbound connections pass through PIX Firewall without filtering. If you omit this option, and if the WebSENSE server goes offline, PIX Firewall stops outbound port 80 (Web) traffic until the WebSENSE server is back online.



Actions

This Discussion