FWSM Logs

Unanswered Question
Feb 22nd, 2010

Dear all

I have FWSM and I configure it to send the logs to the manage engine firewall Analyzer to analyze the logs and give the monthly report. The FA is giving me the top hosts and destinations by bytes.

Current config on the FWSM

logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging host outside FA_IP_Address

The logging for the acl is not enabled on all of them (only 10%).

My questions is If I need to track the whole traffic by bytes for any access through my FWSM, do I have to enable the logging for all the access-lists or not?

I have more than 1000 lines of access-list, if I enabled the logging on the acl, will it impact the firewall performance?

Thanks,

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Mon, 02/22/2010 - 12:41

Logging on a per ACL basis will punt all the intial connection packets to the CPU in order to log them. If the log option is not there then they are handled by Network processor 3.

So you will see cpu increase if you log all your ACL lines.

Depending on how much traffic is going through, high cpu could deteriorate performance.

I hope it helps.

PK

Ahmad Samir Mon, 02/22/2010 - 21:02

Dear PK

Thanks very much for your reply.

So, what can I do and what kind of configuraion needs to be put on the FWSM to get the whole and right traffic reports from the FA?

What do you mean by network processor 3?

So, the traffic reports that I am getting from the FA right now is not correct reports because FWSM doesn't send the whole traffic going through it because the logging is not enabled on all the ACL.

Thanks,

Panos Kampanakis Tue, 02/23/2010 - 06:16

Network Processor 3 is a specific ASIC on the FWSM that is responsible to establish new connections, do ACL checks etc. There are 2 more processor that process packets of existing connections and there is also the PC unit which is practically the CPU that does sysloging and inspections.

There is no config to get the "whole and right traffic reports from the FA". It depends on what you want to get. The logs are here http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/system/message/logmsgs_external_docbase_0900e4b1804ca185_4container_external_docbase_0900e4b1805ba0fa.html Usually you want to see denies packets and not allowed ones, so many customers just log the deny lines in the ACL. The log level you will log at (0-7) depends on how deep you want your syslog info to be.

I hope it helps.

PK

Ahmad Samir Tue, 02/23/2010 - 22:05

Dear PK

Thanks again for yuor help

First, what do you mean that I can't get the right reports from the syslog server?

Second, I don't want the denied actions. I need to get the traffic reports (Top Hosts, Top Destinations, Top Conversation, Top Protocols) going through the firewall. Why the FWSM can't send the all the logs to the syslog?

Thanks and Best Regards,

Panos Kampanakis Wed, 02/24/2010 - 06:21

By "There is no config to get the "whole and right traffic reports from the FA"", I meant that right reports is too subjective. You define what the right reports are and you make sure your syslogs can give you those.

The FWSM can send all the logs to the syslog. It will increase the cpu if you log at the lowest syslog level (debugging), but you can do it. It is up to you to use these logs to generate reports.

I hope it helps.

PK

pemasirid Wed, 01/02/2013 - 12:27

Hi PK,

I'm having a kind of simillar issue, in my FWSM (ver 4.1.11) when I give show logging nothing is seeing (deny) against ACLs but it see any other logs (sytem), I added the deny with log (informational) at last to get more specifically those logs but even then it still doesn't show. I checked this with configuring logging buffered notification/debugging etc but still does not show any deny logs against ACL.?

However in another fwsm running ver 4.0.12 I can see deny logs against ACL.?.

Not sure I'm missing something or hittting any bug on ver 4.1.11..?, appreciate if you can shed some lights on this..?

Actions

This Discussion