cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2834
Views
0
Helpful
6
Replies

FWSM Logs

Ahmad Samir
Level 1
Level 1

Dear all

I have FWSM and I configure it to send the logs to the manage engine firewall Analyzer to analyze the logs and give the monthly report. The FA is giving me the top hosts and destinations by bytes.

Current config on the FWSM

logging enable
logging timestamp
logging buffered debugging
logging trap informational
logging asdm informational
logging host outside FA_IP_Address

The logging for the acl is not enabled on all of them (only 10%).

My questions is If I need to track the whole traffic by bytes for any access through my FWSM, do I have to enable the logging for all the access-lists or not?

I have more than 1000 lines of access-list, if I enabled the logging on the acl, will it impact the firewall performance?

Thanks,

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

Logging on a per ACL basis will punt all the intial connection packets to the CPU in order to log them. If the log option is not there then they are handled by Network processor 3.

So you will see cpu increase if you log all your ACL lines.

Depending on how much traffic is going through, high cpu could deteriorate performance.

I hope it helps.

PK

Dear PK

Thanks very much for your reply.

So, what can I do and what kind of configuraion needs to be put on the FWSM to get the whole and right traffic reports from the FA?

What do you mean by network processor 3?

So, the traffic reports that I am getting from the FA right now is not correct reports because FWSM doesn't send the whole traffic going through it because the logging is not enabled on all the ACL.

Thanks,

Network Processor 3 is a specific ASIC on the FWSM that is responsible to establish new connections, do ACL checks etc. There are 2 more processor that process packets of existing connections and there is also the PC unit which is practically the CPU that does sysloging and inspections.

There is no config to get the "whole and right traffic reports from the FA". It depends on what you want to get. The logs are here http://www.cisco.com/en/US/docs/security/fwsm/fwsm32/system/message/logmsgs_external_docbase_0900e4b1804ca185_4container_external_docbase_0900e4b1805ba0fa.html Usually you want to see denies packets and not allowed ones, so many customers just log the deny lines in the ACL. The log level you will log at (0-7) depends on how deep you want your syslog info to be.

I hope it helps.

PK

Dear PK

Thanks again for yuor help

First, what do you mean that I can't get the right reports from the syslog server?

Second, I don't want the denied actions. I need to get the traffic reports (Top Hosts, Top Destinations, Top Conversation, Top Protocols) going through the firewall. Why the FWSM can't send the all the logs to the syslog?

Thanks and Best Regards,

By "There is no config to get the "whole and right traffic reports from the FA"", I meant that right reports is too subjective. You define what the right reports are and you make sure your syslogs can give you those.

The FWSM can send all the logs to the syslog. It will increase the cpu if you log at the lowest syslog level (debugging), but you can do it. It is up to you to use these logs to generate reports.

I hope it helps.

PK

Hi PK,

I'm having a kind of simillar issue, in my FWSM (ver 4.1.11) when I give show logging nothing is seeing (deny) against ACLs but it see any other logs (sytem), I added the deny with log (informational) at last to get more specifically those logs but even then it still doesn't show. I checked this with configuring logging buffered notification/debugging etc but still does not show any deny logs against ACL.?

However in another fwsm running ver 4.0.12 I can see deny logs against ACL.?.

Not sure I'm missing something or hittting any bug on ver 4.1.11..?, appreciate if you can shed some lights on this..?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: