Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Is there a way to email me/page me if a change has been made on my firewall

I want to be pages and emailed if a change (such as rules change) is done on my firewall. I haven't been able to find any documentation on this .

Would logging informational to the syslog and then have the syslog email/page me from there? or is there another way i can do it?

  • Other Security Subjects
2 REPLIES
Silver

Re: Is there a way to email me/page me if a change has been made

Good news! There's lots of ways!

Using a syslog daemon, you can syslog events and look for the interesting ones to create emails. Pix 6.2+ works best for this. Every command typed can be syslogged and will include the user who typed it (event # 111008). Syslog events are generated for entering config mode (event # 111007) and exiting config mode (event # 111005).

Kiwi syslog daemon for Windows create emails based on specified events such as looking for those numbers above. Swatch can do this for *nix. Also, the CatTools from Kiwi can download configs on a scheduled basis and notify you if they've changed.(but now what changed)

Also, the Pix generates a checksum at the end of it's config. You could download the config periodically via tftp and compare the checksum. If the config changes, the checksum will be different.

DeviveAuthority from Aterpoint does this very well. (not freeware) Not only for Pixs but any networking device. It will download the configs, look for changes, email them to you, and even highlight the exact lines that are different.

Of course, CiscoWOrks does this very well but is pretty darn expensive and requires alot of horsepower.

-Shannon

New Member

Re: Is there a way to email me/page me if a change has been made

As a add-on to Shannons reply I can recommend you to include the following events for your "mail_me_changes_profile". They are very good if you have one user for a group of admins.

Event # 315001 - SSH login denied from IP#

Event # 315002 - SSH login from IP#

Event # 315003 - SSH login failed from IP#

Event # 307001 - Telnet login denied from IP#

Event # 307002 - Telnet login from IP#

Event # 307003 - Telnet login failed from IP#

With these events you can see from where someone logged on and you can see if someone uninvited is knocking on the door.

Description of syslog messages:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/syslog/pixemsgs.pdf

/ Per

100
Views
0
Helpful
2
Replies
This widget could not be displayed.