topic Re: Active/Active traffic log. in General Topics

Active/Active traffic log.

KiCheon.Lee — Thu, 12 Dec 2013 10:26:22 GMT

Hello

I knew session owner generate traffic log.

Does session setup device generated traffic log If a session is denied L4 processing before L7 processing???

Network Diagram

Router#1(Power-OFF) ------ Router#2(Power ON)

| |

FW#1 FW#2

| |

BB#1 BB#2

*Router#1 has problem. So It is power-off status.

FW configuration

Session owner : first-packet

Session setup : ip-modulo

rule01 on security rule : source zone = untrust , source IP = any , destination zone = trust , destination IP = 192.168.1.1 , service = any , application = any , action = deny.

If rule01 actions is allow, there are rule01 traffic logs in only FW#2 because is session owner. Of course, session setup is load-sharing between FW#1 and FW#2.

But rule01 action is deny and I have seen there are denied traffic logs in all FWs. So I think session setup device can generate traffic logs.

Is it TRUE?? Please anybody know me!

Summary.

Some traffics go to FW#1 through FW#2 and across HA3 Link for session setup.

Another traffics stay FW#2 for session setup.

But these traffics are denied by rule01 during L4 processing before L7 processing.

So There are denied traffic logs in all FWs.

Thanks.

Re: Active/Active traffic log.

tasonibare — Sat, 14 Dec 2013 19:25:43 GMT

Cheon,

Logging on both devices in A/A when traffic is denied due to L4 to L7 processing is expected behavior.

Here's a simple flow of events to help you understand the logic behind this behavior:

1. First packet comes in on Primary device for instance. Primary is session owner (First packet) and Secondary is chosen for setup (IP modulo)

2. Secondary sets up the session (L1-L3) while Primary does the L4-L7 processing

3. At this point, this same session is represented by unique session IDs, one on the Primary and another on the Secondary

4. If the Primary device decides to discard the session based on its L4-L7 processing, then both session IDs on both devices need to be in the DISCARD state

5. After these discard sessions time out, each device needs to log the action of its respective session in its traffic logs

Note that the logic is a little different if the security policy permits the traffic.

In this case, only session owner logs the traffic because it's the device that is "responsible" for the session and its traffic.

When the policy is deny, no traffic really goes through the pair and so both devices have to log why neither of them allowed the session to live.

Regards,

tasonibare

Re: Active/Active traffic log.

KiCheon.Lee — Mon, 16 Dec 2013 01:42:25 GMT

Thanks, taonibare.

I have more questions.

1. When primary device receives first packet, primary device copy first packet then send it to secondary device on HA3 link. Right?

2. I know until now that session owner is only L7 processing and session setup is L1 ~ L4 processing. Do I know incorrect it?

3. There are denied traffic log in both devices. It is same session ID. Right?

Regards,

KC Lee

Re: Active/Active traffic log.

cstancill — Mon, 16 Dec 2013 08:10:06 GMT

Cheon,

1. That is correct, provided packet forwarding is enabled.

2. This is correct as well.

3. Unfortunately, the actual session ID will be different for each firewall.

Craig

Re: Active/Active traffic log.

KiCheon.Lee — Wed, 18 Dec 2013 07:34:31 GMT

Thanks cstancill,

Each device(primary and secondary) has different denied log not same log.

For example, Primary device has 'A' session denied log but secondary device doesn't have it.

Secondary device has 'B' session denied log but primary device doesn't.

I think that only session setup device has denied log.

What do you think it?

Regards,

Cheon

Re: Active/Active traffic log.

cstancill — Fri, 27 Dec 2013 11:50:50 GMT

Cheon,

Sorry for the delayed response. For denied logs, you are correct.

Craig