Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS Firewall(CBAC) monitor mode ?

I am looking into deploying cbac and wondered if there is a way of running it in monitor mode to get a good idea of "normal" traffic patterns. This would give us a good chance to write and verify key service acl entries before we change our acls over to default deny mode. It would also give us a good idea of where to place the low and high half-open session thresholds too which are likely to be higher than the default 400/500! I'm thinking maybe it's possible deploy the ip inspect command on our outbound interface but to have our acl in permit-any mode - and to build up acl entries for our key services - which when functioning will begin to show matches - and at the same time to log output from the permit-any line in the acl so that we can profile any other services that might be running through our router. Would log output from the IOS fw give us clues as to a suitable half-open session thresholds too ? I know it sends aggreessive / calming pairs of messages when the high threshold is crossed, should we be raising them so that it can be "tuned" to the correct level of half-open thresholds for our network ? Monitor mode is a key feature of other firewalls like checkpoint 1 and I wondered if this is a viable alternative method for the IOS Firewall ?

Cisco Employee

Re: IOS Firewall(CBAC) monitor mode ?

There is no option to run CBAC in monitor mode.


New Member

Re: IOS Firewall(CBAC) monitor mode ?

However, you can do something similar to what you suggested:

1) use the desired ip inspects, starting off with just the basics:

tcp, udp, ftp

2) create your acl, ensuring that you have entries for protocols/ports that don't get inspected (icmp, ah, esp, udp 500, etc) as well as any traffic initiated from the outside

3) make the last entry in your ACL permit ip any any log. Anything that you missed that normally is getting through your router will match the last entry, will be permitted, and will generate a syslog. Depending on your ios version, you may have to precede the permit ip any any log with a permit tcp any any log and permit udp any any log, in order to see the source and destination ports (doesn't show ports with a permit ip any any in all IOS versions).

4) for your global thresholds (host, one minute, and five minute), just set them really high (like 20000 or something like that), then periodically do a show ip inspect stat (hidden command) to se the number you normally have.

This should at least give you a benchmark.