net report configuration guide for cisco pix...
TRANSCRIPT
-
1/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Net Report Cisco PIX Configuration Guide
for Cisco PIX Firewalls Versions 6.2 and 6.3
http://www.net-report.net
-
2/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Table of Contents
About This Document............................................................................4 Purpose ................................................................................................... 4 Technical Specifications.............................................................................. 4 Audience.................................................................................................. 4 Related Information................................................................................... 4 Key Configuration Rules ............................................................................. 4 Two Configuration Solutions to Choose Between ............................................ 6 Net Report and Cisco Version-Specific Information ......................................... 6
Section 1: Introducing General Required Configuration Guidelines ....7 1.1. General Guidelines for Configuring Cisco PIX for Net Report................. 7 1.2. Listing Cisco PIX Messages Treated by Net Report............................ 13 1.3. Reading Cisco PIX and Catalyst System Log Messages ...................... 14 1.4. Syslog Messages for Cisco PIX....................................................... 16 1.5. Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 .......................... 17 1.6. Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 ................................................................ 20
Section 2: Configuration Solution 1: Suppressing Syslog IDs ...........21 2.1. Introduction ............................................................................... 21 2.2. Launching Cisco PIX Device Manager 3.0 ........................................ 22 2.3. Selecting Syslog Messages for Suppression ..................................... 23 2.4. Suppressing Syslog Messages ....................................................... 26 2.5. Viewing Syslog IDs Suppressed via the Command Line Interface........ 28 2.6. Including Timestamp & Modifying Advanced Syslog Configuration....... 30 2.7. Viewing The Advanced Syslog Configuration Modifications ................. 33
Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages’ Levels ....................................................................35
3.1. Modifying Net Report Treated Messages’ Level via PIX Device Manager36 3.2. Viewing The Syslog Messages’ Level Modifications............................ 39 3.3. Modifying Syslog Severity Level Threshold, Including Timestamp & IP. 41 3.4. Viewing The Severity Threshold & Timestamp Modifications ............... 44
Appendices ..................................................................................46
Appendix A............................................................................................. 48 A.1 Introduction...................................................................................... 48
http://www.net-report.net
-
3/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and 6.3............ 48 A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and 2.3 ............................. 49 Appendix B............................................................................................. 61 B.1 Introduction...................................................................................... 61 B.2 Error Messages Specific to Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 & 2.3.............................................................. 61 Contacting Net Report.............................................................................. 62
http://www.net-report.net
-
4/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
About This Document Purpose
This Net Report Cisco PIX Configuration Guide explains how to configure Cisco PIX Firewalls Versions 6.2 and 6.3 and Cisco Catalyst versions 2.2 and 2.3 for Net Report.
Note: this document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3.
Technical Specifications
The guidelines given in this document are applicable to the Cisco PIX Device Manager (PDM) version 3.0. The Cisco PIX Device Manager is a browser-based configuration tool designed to help you set up, configure and monitor your PIX Firewall graphically.
Audience
This document addresses both basic and advanced Net Report users. This Guide is also written for System Administrators who are responsible for maintaining network security. It assumes you have a basic understanding and a working knowledge of:
• Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3.
• System Administration. • Unix or Windows Operating Systems. • Windows GUI. Internet protocols (IP, TCP, UDP and so on). Related Information
Please read the following documents which are related to Net Report’s technical documentation:
Copyright Notice:
http://www.net-report.net/downloads/WebDoc/Copyright/Net_Report_Copyright_Notice.pdf
Code and Icon Conventions:
http://www.net-report.net/downloads/WebDoc/Conventions/Net_Report_Code_and_Icon_Conventions.pdf
Online Help:
http://www.net-report.net/us/support/sup_userhelp.html
Troubleshooting:
http://www.net-report.net/us/OurDocuments/NRFAQs.htm
Glossary:
http://www.net-report.net/knowledgebase/UserHelp/16_Net_Report_Glossary/Net_Report_Glossary_2.0.1.htm
Key Configuration Rules
http://www.net-report.net/downloads/WebDoc/Copyright/Net_Report_Copyright_Notice.pdfhttp://www.net-report.net/downloads/WebDoc/Conventions/Net_Report_Code_and_Icon_Conventions.pdfhttp://www.net-report.net/us/support/sup_userhelp.htmlhttp://www.net-report.net/us/OurDocuments/NRFAQs.htmhttp://www.net-report.net/knowledgebase/UserHelp/16_Net_Report_Glossary/Net_Report_Glossary_2.0.1.htmhttp://www.net-report.net
-
5/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
For Net Report to treat your Syslog Messages and Flat Files, please note the following general key points:
It is mandatory to check the Include Timestamp check box in the PIX Device Manager, to ensure that the Timestamp (date and time) is added to the beginning of each message.
1. If you want Net Report to analyze the Flat File, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi,
a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside
b. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): 2005-02-15 08:06:10 UTC,Local4.Info,192.168.1.1,Feb 15 2005 09:04:04 192.168.1.1 : %PIX-6-302013: Built outbound TCP connection 8893 for outside:217.12.2.76/80 (217.12.2.76/80) to inside:192.168.1.2/2902 (192.168.0.84/2902)
http://www.net-report.net
-
6/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Two Configuration Solutions to Choose Between
This document explains how to reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information.
Note: if you want Net Report to treat your Syslog Messages directly then you do not necessarily need to apply either Configuration Solution 1 or 2. However, doing so will improve the performance of Net Report’s treatment. The document proposes two Configuration Solutions. Please choose the solution which is the most appropriate for your company’s IT Security Policy:
Configuration Solution 1: Reduce the Number of Syslog Messages Written in the Flat Files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM).
Configuration Solution 2: Specify the Severity Level Threshold and Modify Certain Messages’ Severity Levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3.
Important: if you want to use Cisco PIX with Oracle, please see: Knowledge Base Article 58.
Net Report and Cisco Version-Specific Information
This document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3. Messages from versions prior to these versions are considered beyond the scope of this document and are not supported by Net Report 3.12 and later. Please read Section 1 before continuing with either Configuration Solution 1 or Configuration Solution 2.
http://www.net-report.net
-
7/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Section 1: Introducing General Required Configuration Guidelines
1.1. General Guidelines for Configuring Cisco PIX for Net Report To configure Cisco PIX for Net Report it is important to note the following five essential configuration rules:
Include the Syslog Message Timestamp Parse Syslog Messages to Specific Flat File Formats Reduce the Number of Syslog Messages Analyzed by Net Report Associate an IP Address with a Hostname Choose between Two Different Configuration Solutions
http://www.net-report.net
-
8/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Five General Configuration Rules for Configuring Cisco PIX for Net Report 1. Include the Syslog Message Timestamp: all System Log Messages to be treated
by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. Check the Include Timestamp check box in the PIX Device Manager. This adds the Timestamp prefix to the beginning of the Syslog message indicating what time the event occurred.
2. Export Syslog Messages to Specific Flat File Formats: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi,
a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited)
http://www.net-report.net
-
9/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
b. Net Report parses the Syslog Message itself (in bold in this example,
indicated in green font in the screen shot below): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside
c. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): 2005-02-15 08:06:10 UTC,Local4.Info,192.168.1.1,Feb 15 2005 09:04:04 192.168.1.1 : %PIX-6-302013: Built outbound TCP connection 8893 for outside:217.12.2.76/80 (217.12.2.76/80) to inside:192.168.1.2/2902 (192.168.0.84/2902)
3. Reduce the Number of Syslog Messages Analyzed by Net Report: to improve
performance, reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information. This document presents two solutions for reducing the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information.
4. Associate an IP Address with a Hostname: certain Cisco PIX messages (notably Message 106023) provide a hostname for the source/destination (instead of an IP Address) which is associated with an IP Address in the Pix Device Manager. These messages must be modified to associate the Hostname with the IP Address to obtain the correct data for the Cisco PIX statistics. Net Report recommend either associating the hostname to the IP addresses defined in the PIX Device Manager, or activating and correctly defining the RDNS function (which associates an IP with a hostname) for the IP Addresses concerned. Please note and example the first solution we recommend, that is associating a hostname with an IP Address via the PIX Device Manager:
http://www.net-report.net
-
10/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
i. Select Configuration> Hosts/Networks in the PIX Device Manager.
ii. Select inside: any> [IP] > [IP Address] in the left Hosts/Networks pane. Double-click the IP Address to modify. The Edit host/network dialog box appears.
iii. Select the Basic information tab.
iv. Enter the Hostname you want to associate with the IP Address in the Name (Recommended) field. In this example, your_hostname.
v. Click OK. The Hostname appears to the left of the IP Address you modified in the left Hosts/Networks pane. In this example your_hostname [IP Address]
http://www.net-report.net
-
11/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
5. Choose between Two Different Configuration Solutions: please note the
information in Section 1 concerning the Cisco PIX messages treated by Net Report before moving on to choose either Configuration Solution 1 (see Section 2) or Configuration Solution 2 (see Section 3) to configure Cisco PIX for Net Report. Net Report treat a certain number of Syslog Messages, the list of these messages is included in this section. The exhaustive descriptions of each Syslog Message treated by Net Report are included at the end of this document.
http://www.net-report.net
-
12/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Two Syslog Message Configuration Solutions to Choose between The document proposes two solutions. Please choose the solution which is the most appropriate for your company’s IT Security Policy: Either
Solution 1: Reduce the number of Syslog Messages written in the flat files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM). See Section 2.
Or:
Solution 2: Specify the severity level threshold and modify certain messages’ severity levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3. See Section 3.
http://www.net-report.net
-
13/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1.2. Listing Cisco PIX Messages Treated by Net Report The System Log messages in this section apply to Cisco PIX Firewall Version 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3 and Net Report Cisco PIX Net Report 3.12 and later. Please see Article 59 for the exhaustive list of Cisco PIX and Catalyst System Log messages supported by Net Report.
Net Report supports the following System Log Messages: System Log Messages specific to Cisco PIX Firewall Versions 6.2 and 6.3 (please
see Section 1.1). System Log Messages for both Cisco PIX Firewall Versions 6.2 and 6.3 and Cisco
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.2).
System Log Messages specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.3).
Note: neither Cisco PIX nor Cisco Firewall Services Module do not send severity 0,
emergency messages to Syslog. These are comparable to a UNIX panic message and indicate an unstable system.
http://www.net-report.net
-
14/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1.3. Reading Cisco PIX and Catalyst System Log Messages
System log messages received at a Syslog server for treatment by Net Report begin with the Timestamp are followed Firewall IP Address and then a percent sign (%). The messages are structured as follows:
[Timestamp] [Firewall_IP_Address]:%[PIX][FWSM] – Level – Message_number:
Timestamp: identifies the time the event occurred. For Net Report, you must check the Include Timestamp Check Box (select Configuration> Syslog Properties, then Logging> Syslog in the Categories pane and select the Include Timestamp).
Firewall_IP_Address: identifies the Firewall IP Address. Please see the following sub-sections for more information.
PIX: identifies the message facility code for messages generated by the PIX Firewall.
FWSM: identifies the message facility code for messages generated by the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System.
Level: reflects the severity of the condition described by the message. The lower the number the more severe the condition/ Logging is set to level 3 (error) by default.
Message_number: is the numeric code that uniquely identifies the message.
message_text: is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers or user names.
Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 1.1).
Note: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, an example of a log generated via Kiwi.
Flat File Format Example: the log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside
http://www.net-report.net
-
15/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Cisco PIX Level Description Table
The table below defines the Keyword and Description associated with each Cisco PIX Level Number, as defined by Cisco Systems.
Level Number Level Keyword Description 1 Alert Immediate action needed.
2 Critical Critical condition.
3 Error Error condition.
4 Warning Warning condition.
5 Notification Normal but signifiant condition.
6 Informational Informational message only.
7 Debugging Appears during debugging only.
http://www.net-report.net
-
16/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1.4. Syslog Messages for Cisco PIX Syslog Message Number
Default Error Message Severity Level & Keyword
710006 %PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address
7 = debugging
* All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.
** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified.
http://www.net-report.net
-
17/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1.5. Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3
Syslog Message Number
Default Error Message Severity Level & Keyword
106001 %PIX-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
2 = critical
106002 %PIX-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
2 = critical
106006 %PIX-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
2 = critical
106007 %PIX-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
2 = critical
106010 %PIX-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
3 = error
106012 %PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.
2 = critical
106013 %PIX-2-106013: Dropping echo request from IP_address to PAT address IP_address
2 = critical
106014 %PIX-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)
3 = error
106015 %PIX-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.
6 = informational
106016 %PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
2 = critical
106017 %PIX-2-106017: Deny IP due to Land Attack from IP_address to IP_address
2 = critical
106018 %PIX-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
2 = critical
106020 %PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
2 = critical
106021 %PIX-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
1 = alert
106022 %PIX-1-106022: Deny protocol connection spoof from 1 = alert
http://www.net-report.net
-
18/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
source_address to dest_address on interface interface_name
106023 %PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
4 = warning
302009 %PIX-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port
6 = informational
302013 %PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)]
6 = informational
302014 %PIX-6-302014: Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)]
6 = informational
302015 %PIX-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port)[(user)]
6 = informational
302016 %PIX-6-302016: Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)]
6 = informational
3013001 %PIX-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_name
3 = error
500003 %PIX-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name
5 = notification
500004 %PIX-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port
4 = warning
710003 %PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service
3 = error
710005 %PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service
7 = debugging
http://www.net-report.net
-
19/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
* All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.
** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified.
http://www.net-report.net
-
20/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1.6. Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3
Syslog Message Number
Default Error Message Severity Level & Keyword
302020 %FWSM-6-302020: Built {in ⎢out}bound ICMP connection for faddr {faddr ⎢ icmp_seq_num } gaddr {gaddr ⎢ cmp_type} laddr laddr
6 = informational
3013004 %FWSM-4-313004:Denied ICMP type=icmp_type, from src_IP_address on interface intf_name to dest_IP_address:no matching session
4 = warning
*All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.
** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified.
*** FWSM: Firewall Services Module System
http://www.net-report.net
-
21/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Section 2: Configuration Solution 1: Suppressing Syslog IDs
2.1. Introduction
Please follow the steps below to reduce the number of Syslog messages sent to the output location:
2.2: Launching Cisco PIX Device Manager 3.0.
2.3: Selecting Syslog Messages for Suppression.
2.4: Suppressing Syslog Messages that are not treated by Net Report.
2.5: Viewing Syslog Messages that were suppressed, via the Command Line Interface.
2.6: Including a Timestamp in Syslog Messages & Modifying Advanced Syslog Configuration.
2.7: Viewing Modifications Made to the Advanced Syslog Configuration via the Command Line Interface.
Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 2.6).
http://www.net-report.net
-
22/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.2. Launching Cisco PIX Device Manager 3.0 Steps
Use a PC connected to one of the PIX Firewall switch ports and enter the URL https://192.168.1.1/pdm.html
Either leave both the Username and Password dialog boxes empty or enter your password.
Press Enter.
Accept the certificates, click Authorize.
Enter your Network Password. Click Yes. The Cisco PIX Device Manager 3.0 console appears.
https://192.168.1.1/pdm.htmlhttp://www.net-report.net
-
23/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.3. Selecting Syslog Messages for Suppression
Solution 1 explains how to suppress those Syslog messages which are not treated by Net Report in order to reduce the volume of Syslog messages treated. The following steps therefore explain how to select the messages which Net Report does not treat and then how to suppress these messages.
Steps
Select Configuration> System Properties. The System Properties tab appears in the central pane.
http://www.net-report.net
-
24/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Select Logging> Setup in the left Categories pane.
Note the Logging Setup parameters appears in the System Properties tab’s Logging Setup pane.
Select the Enable logging check box and View all Syslog IDs in the Syslog ID Table View drop-down list.
Select all the Syslog IDs in the Syslog ID list with the mouse. All the Syslog IDs will be highlighted in white.
Press Ctrl and click with the mouse on those Syslog IDs supported by Net Report to clear them (the rows selected will become grey) – clear the following Syslog IDs: 106001 , 106002, 106007, 106010, 106012, 106013, 106014, 106015, 106016, 106017, 106018, 106020, 106021, 106022, 106023, 302009, 302013, 302014, 302015, 302016, 313001, 500003, 500004, 710003, 710005, 710006.
http://www.net-report.net
-
25/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Note: the Syslog IDs listed above will return to grey when you clear their selection.
Click Edit. The Edit dialog box appears.
http://www.net-report.net
-
26/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.4. Suppressing Syslog Messages Steps
Note the Syslog IDs you selected to be suppressed in the previous Logging Setup pane in the Syslog ID(s) box.
Select the Suppress Message(s) check box.
Click OK. The Logging Setup tab appears.
http://www.net-report.net
-
27/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Click Apply. The Status message appears.
Select View suppressed Syslog IDs only in the System Properties tab’s Syslog ID Table View drop-down list, to view the list of Syslog IDs you suppressed.
http://www.net-report.net
-
28/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.5. Viewing Syslog IDs Suppressed via the Command Line Interface To view the Syslog IDs you suppressed via the Command Line Interface, please follow the steps below: Steps
1. Select Tools> Command Line Interface… The Command Line Interface dialog box appears.
http://www.net-report.net
-
29/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2. Enter the following Command in the Command field: show running-config
3. Click Send. 4. Note the Response in the lower half of the Command Line Interface dialog
box. All the Syslog IDs you suppressed in the Logging Setup pane and Edit dialog box appear as follows: no logging message [SyslogID]
5. Click Close.
http://www.net-report.net
-
30/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.6. Including Timestamp & Modifying Advanced Syslog Configuration
To include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below.
Steps
Select Configuration> System Properties, the System Properties tab appears.
Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab.
Ensure the Include Timestamp check box is selected.
Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is “logging timestamp” or “set logging timestamp enable”. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable.
http://www.net-report.net
-
31/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps
Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation.
Click Advanced… The Advanced Syslog Configuration dialog box appears.
Select the Enable Syslog Device ID check box.
Select the IP Address option button along with the Interface Name you want to appear in the Syslog message.
Click OK.
Click Apply. The Status message appears.
http://www.net-report.net
-
32/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
http://www.net-report.net
-
33/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2.7. Viewing The Advanced Syslog Configuration Modifications
Steps
1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears.
http://www.net-report.net
-
34/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
2. Enter the following Command in the Command field: show running-config
3. Click Send.
4. Note the Response in the lower half of the Command Line Interface dialog box, notably “logging timestamp”.
Status: Configuration Solution 1 has been successfully accomplished. You have suppressed the Syslog IDs that Net Report does not treat and ensured that only those Syslog Messages which Net Report treats will be written in the flat file.
http://www.net-report.net
-
35/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages’ Levels
Introduction
Solution 2 specifies the severity level threshold in the Cisco PIX Device Manager 3.0 to Level 3 (error), to indicate which Syslog messages can be sent to the flat file for treatment by Net Report.
Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 3.3).
The level you specify (i.e. level 3) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, then the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent.
However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 6 will be modified to ensure that the Logging level is changed to Logging level 3.
Contents
The following tasks will be explained and must be followed in the following order:
3.1: Modifying the logging level of Syslog Messages treated by Net Report via the PIX Device Manager
3.2: Viewing the Syslog Messages’ Level Modifications via the Command Line Interface.
3.3: Modifying the Syslog Severity Level Threshold, Including the Timestamp and Firewall IP Address.
3.4: Viewing the Severity Level Threshold, Timestamp and Advanced Syslog Configuration Modifications via the Command Line Interface.
http://www.net-report.net
-
36/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
3.1. Modifying Net Report Treated Messages’ Level via PIX Device Manager
To modify the level of those messages which Net Report treats which are Level 4-7 to Level 3, please follow the steps below:
Steps
Select Configuration> System Properties. The System Properties tab appears.
Select Logging> Logging Setup in the left Categories pane. The Logging Setup pane appears.
Select View all syslog IDs in the Syslog ID Table View drop-down list.
Select the Syslog IDs for those Syslog Messages treated by Net Report with levels 4-7 in the Syslog list: 106015, 106023, 302009, 302013, 302014, 302015, 302016, 500003, 500004, 710005, 710006.
http://www.net-report.net
-
37/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Note that the Syslog IDs selected will appear highlighted in white.
Click Edit. The Edit dialog box appears. Note the Syslog IDs you selected in the previous Logging Setup pane appear in the Syslog ID(s) field.
Select Errors in the Logging Level drop-down list.
Click OK. The Logging Setup pane reappears.
http://www.net-report.net
-
38/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Click Apply. The Status message appears.
http://www.net-report.net
-
39/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
3.2. Viewing The Syslog Messages’ Level Modifications Steps
Select Tools> Command Line Interface. The Command Line Interface dialog box appears.
http://www.net-report.net
-
40/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
1. Enter the following Command in the Command field: show running-config
2. Click Send.
Note the Response in the lower half of the Command Line Interface dialog box. Indicating that the level of those Syslog Messages treated by Net Report with level 4 – 7 have been successfully modified to level 3 – “errors”. With the Response: logging message [SyslogID] level errors
http://www.net-report.net
-
41/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
3.3. Modifying Syslog Severity Level Threshold, Including Timestamp & IP
To modify the Syslog Severity Level Threshold from the default Debugging level to the new threshold level 3 (error), include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below.
Steps
Select Configuration> System Properties, the System Properties tab appears.
Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab.
Select Errors in the Level drop-down list.
Ensure the Include Timestamp check box is selected.
http://www.net-report.net
-
42/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is “logging timestamp” or “set logging timestamp enable”. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable.
Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps
Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation.
Click Advanced… The Advanced Syslog Configuration dialog box appears.
Select the Enable Syslog Device ID check box.
http://www.net-report.net
-
43/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Select the IP Address option button along with the Interface Name you want to appear in the Syslog message.
Click OK.
Click Apply. The Status message appears.
http://www.net-report.net
-
44/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
3.4. Viewing The Severity Threshold & Timestamp Modifications
Steps
1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears.
http://www.net-report.net
-
45/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
5. Enter the following Command in the Command field: show running-config
6. Click Send.
7. Note the Response in the lower half of the Command Line Interface dialog box, notably “logging timestamp” and “logging trap errors”.
Status: Configuration Solution 2 has been successfully accomplished!
http://www.net-report.net
-
46/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Appendices
http://www.net-report.net
-
47/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
This Lexicon comprises the following two sections:
Appendix A: The List of Cisco PIX versions 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report
Appendix B: List of Error Messages Only Concerning Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report.
http://www.net-report.net
-
48/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Appendix A
A.1 Introduction
The messages shown in this Lexicon, apply to Cisco PIX Firewall Version 6.2 and 6.3 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3. Please note that the Explanations given below follow the official explanations given by Cisco Systems. Those Error Messages which are specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 are explained in Section 2. A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and 6.3
710006
Error Message
%PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address
Explanation
This message appears when the firewall does not have an IP server that services the IP protocol request; for example, the firewall receives IP packets that are not TCP or UDP, and the firewall cannot service the request.
Recommended Action
In networks that heavily use multicasting, the frequency of this message can be high. If this message appears in an excessive number, it may indicate an attack.
http://www.net-report.net
-
49/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and 2.3
106001
Error Message %PIX-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name
Explanation
This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it as dropped. The tcp_flags in this packet were FIN and ACK.
The tcp_flags are as follows:
ACK – The acknowledgement number was received.
FIN – Data was sent.
PSH – The receiver passed data to the application.
RST – The connection was reset.
SYN – Sequence numbers were synchronized to start a connection.
URG – The urgent pointer was declared valid.
106002
Error Message
%PIX-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address
Explanation
This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable can be ICMP, TCP or UDP.
Recommended Action
Use the show outbound command to check outbound lists.
106006
Error Message
%PIX-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.
http://www.net-report.net
-
50/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Explanation
This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy.
106007
Error Message
%PIX-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.
Explanation
This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied.
Recommended Action
If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most probable cause is that a DNS server was too slow to respond and the query was answered by another server.
106010
Error Message
%PIX-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port
Explanation
This is a connection-related message. This message is logged if an inbound connection is denied by your security policy.
Recommended Action
Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.
106012
Error Message
%PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.
Explanation
http://www.net-report.net
-
51/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.
Recommended Action
Contact the remote host system administrator to determine the problem. Check the local site for loose source or strict source routing.
106013
Error Message
%PIX-2-106013: Dropping echo request from IP_address to PAT address IP_address
Explanation
This message is logged when the firewall discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet cannot specify which PAT host should receive the packet.
106014
Error Message
%PIX-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)
Explanation
This message is logged when the firewall denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.
106015
Error Message
%PIX-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.
Explanation
This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit’s connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet.
Recommended Action
http://www.net-report.net
-
52/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
None required, unless the firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.
106016
Error Message
%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.
Explanation
This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:
Loopback network (127.0.0.0)
Broadcast (limited, net-directed, subnet-directed, and all subnets-directed)
The destination hosts (land.c)
If the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.
To enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.
Recommended Action
Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.
http://www.net-report.net
-
53/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
106017
Error Message
%PIX-2-106017: Deny IP due to Land Attack from IP_address to IP_address
Explanation
This message appears when the firewall receives a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land Attack.
Recommended Action
If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.
106018
Error Message
%PIX-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address
Explanation
This message is logged because the outgoing ICMP packet with type ICMP_type from local host inside_address to foreign host outside_address is denied by outbound list acl_ID.
106020
Error Message
%PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address
Explanation
The firewall discarded an IP packet with teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the firewall or an Intrusion Detection System.
Recommended Action
Contact the remote peer administrator or escalate this issue according to your security policy.
106021
http://www.net-report.net
-
54/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Error Message
%PIX-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name
Explanation
Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.
Recommended Action
This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the firewall checks packets arriving from the outside.
The firewall looks up a route based on the source_address. If an entry is not found and a route is not defined, then this Syslog message appears and the connection is dropped.
If there is a route, the firewall checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The firewall does not support asymmetric routing.
If configured on an internal interface, the firewall checks static route command statements or RIP and if the source_address is not found, then an internal user is spoofing their address.
An attack is in progress. With this feature enabled, no user action is required. The firewall repels the attack.
106022
Error Message
%PIX-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name
Explanation
This message only appears if a connection exists and a packet matching the connection arrives on a different interface than the interface the connection began on. For example, if a user starts a connection on the inside interface, but the firewall detects the same connection arriving on a perimeter interface, the firewall has more than one path to a destination. This is known as asymmetric routing and is not supported don the firewall.
http://www.net-report.net
-
55/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Alternatively, an attacker is attempting to append packets from one connection to another as a means of breaking into the firewall. In either case, the firewall displays this message and drops the connection.
Recommended Action
This message appears when the ip verify reverse-path command is not configured. Ensure routing is not asymmetric.
106023
Error Message
%PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID
Explanation
An IP packet was denied by the ACL. This message will be displayed even if you do not have the log option enabled for an ACL.
Recommended Action
If messages persist from the same source address, then the messages could indicate a foot printing or port scanning attempt. Contact the remote host administrators.
http://www.net-report.net
-
56/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
302009
Error Message
%PIX-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port
Explanation
This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other PIX Firewall. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address “behind” the PIX Firewall on the higher security level interface.
302013
Error Message
%PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)]
Explanation
A TCP connection slot between two hosts was created.
Where:
connection number is a unique identifier.
interface, real_address, real_port identify the actual sockets.
mapped_address, mapped_port identify the mapped sockets.
user is the AAA name of the user.
If inbound is specified, then the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection was initiated from the inside.
302014
Error Message
%PIX-6-302014: Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)]
http://www.net-report.net
-
57/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Explanation
A TCP connection between two hosts was deleted.
Where:
connection number is a unique identifier.
interface, real_address, real_port identify the actual sockets.
time is the lifetime of the connection
bytes number is the data transfer of the connection
user is the AAA name of the user
The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed below:
Reason Description
Reset-I Reset was from the inside.
Reset-O Reset was from the outside.
TCP FINs Normal close down sequence.
FIN Timeout Force termination after 15 seconds await for last ACK.
SYN Timeout Force termination after two minutes awaiting three-way handshake completion.
Xlate Clear Command-line removal.
Deny Terminate by application inspection.
SYN Control Back channel initiation from wrong side.
Uauth Deny Deny by URL filter.
Unknown Catch-all error.
Conn-timeout Connection was torn down because it was idle longer than the configured idle timeout.
302015
Error Message
%PIX-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to
http://www.net-report.net
-
58/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
interface_name:real_address/real_port (mapped_address/mapped_port)[(user)]
Explanation
A UDP connection slot between two hosts is created. See the following descriptions:
- connection number – a unique identifier.
- interface, real_adddress, real_port – The actual sockets.
- mapped_address and mapped_port – The mapped sockets.
- user – The AAA name of the user.
If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.
302016
Error Message
%PIX-6-302016: Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)]
Explanation
A UDP connection slot between two hosts was deleted
Where:
connection number is a unique identifier.
interface, real_address, real_port identify the actual sockets.
time is the lifetime of the connection
bytes bytes is the data transfer of the connection
user is the AAA name of the user
http://www.net-report.net
-
59/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
313001
Error Message
%PIX-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_name
Explanation
When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the firewall discards the ICMP packet and generates this Syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the firewall cannot be detected on the network. This feature is also referred to as configurable proxy pinging.
Recommended Action
Contact the administrator of the peer device.
500003 Error Message %PIX-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name
Explanation
This message indicates that a header length in TCP is incorrect. Some operating systems do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled socket. If a client tries to connect to an FTP server outside the PIX Firewall and FTP is not listening, then the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes this problem. UDP uses ICMP port unreachable messages.
500004
Error Message
%PIX-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port
Explanation
This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP
710003
Error Message
http://www.net-report.net
-
60/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
%PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service
Explanation
This message appears when the firewall denies an attempt to connect to the interface service. For example, this message appears (with the service snmp) when the firewall receives an SNMP request from an unauthorized SNMP management station.
Recommended Action
Use the show http, show ssh, or show telnet command to verify that the firewall is configured to permit the service access from the host or network. If this message appears frequently, it can indicate an attack
710005
Error Message
%PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service
Explanation
This message appears when the firewall does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the firewall. In addition, this message appears (with the service snmp) when the firewall receives and SNMP request with an empty payload, even if it is from an authorized host. When the service is not snmp, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.
Recommended Action
In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in an excessive number, it may indicate an attack.
http://www.net-report.net
-
61/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Appendix B
B.1 Introduction
Please note the Error Messages which are specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 below.
B.2 Error Messages Specific to Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 & 2.3
302020
Error Message
%FWSM-6-302020: Built {in⎢out}bound ICMP connection for faddr {faddr ⎢ icmp_seq_num } gaddr {gaddr ⎢ cmp_type} laddr laddr
Explanation
An ICMP session was established in fast-path when stateful ICMP is enabled using the fixup protocol icmp command.
313004
Error Message
%FWSM-4-313004:Denied ICMP type=icmp_type, from src_IP_address on interface intf_name to dest_IP_address:no matching session
Explanation
ICMP packets were dropped by the FWSM because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the firewall or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the FWSM.
http://www.net-report.net
-
62/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net
Contacting Net Report
For Technical Support, please contact us:
By e-mail at: [email protected]
By Telephone on: +33 (0)46 784 4800
By Fax on: +33 (0)46 784 4811
By post at: Net Report Headquarters,
130 rue Baptistou,
ZAE Nord,
34980 Saint Gély du Fesc,
FRANCE
For Sales Enquiries, please contact us:
By e-mail at: [email protected]
By Telephone on: +33 (0)1 46 84 15 66
By post at: Net Report Sales Offices,
Allasso France,
Immeuble Europe Avenue,
3ème et 4 ème étage (Reception),
62 Bis av André Morizet,
92 643 Boulogne-Billancourt Cedex,
FRANCE
http://www.net-report.netmailto:[email protected]:[email protected]
Table of ContentsAbout This DocumentSection 1: Introducing General Required ConfigurationSection 2: Configuration Solution 1: SuppressingSection 3: Configuration Solution 2: ModifyingAppendices
/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /Unknown
/Description >>> setdistillerparams> setpagedevice