Non logging issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Non logging issue

Not applicable

OK a little background first I'm running 4.1 on a 5050 pair in A/P.  I have a server that is trying to do 80 and 443 out to a specific address and we have some logging wierdness going on.  If we don't have a rule in place allowing the traffic it will not show up with a log entry.  If I do a packet capture I see it in the receive stage but not any other stage.  At the very least I would expect to see it in the drop stage, also, it isn't showing up in any of the logs or being sent to our syslog server.  If I have a rule in place allowing the traffic it will show up in the logs.  I have verified that my any,any,deny at the end of the ruleset is logging at both the start and end of the session and I'm still not seeing anything.  We are using the Anti-Spyware and Vulnerability protection but it currently is only setup in alert mode so it shouldn't be blocking.  Also, I have tried connecting with different ports just to make sure it wasn't a specific application issue and that has no effect.

Any help is appreciated.

Kris

31 REPLIES 31

Are you seeing incomplete traffic associated to another rule?

I was seeing incompletes in the logs with the connection before the distant end opened it up.  I'm currently seeing it from another client IP here that I know the other end has yet to add to their firewalls.

are you seeing sessions for the traffic in the session tables?

>debug log-receiver statistics

what's your output

Yes I am, they show up as below(IPs sanitized).

1245412 undecided  ACTIVE  FLOW   144.100.71.22[60373]/ProdApp/6  ("SRC IP"[60373])
vsys2                                 "DST IP"[8005]/Deep Dark Woods  (8.8.8.8[8005])

Logging statistics

------------------------------ -----------

Log incoming rate:             195/sec

Log written rate:              195/sec

Corrupted packets:             0

Corrupted URL packets:         0

Logs discarded (queue full):   0

Traffic logs written:          336744

URL logs written:              0

Anti-virus logs written:       0

Spyware logs written:          0

Attack logs written:           0

Vulnerability logs written:    543

Fileext logs written:          0

URL cache age out count:       0

URL cache full count:          0

Traffic alarms dropped due to sysd write failures: 0

Traffic alarms dropped due to global rate limiting: 0

Traffic alarms dropped due to each source rate limiting: 0

Traffic alarms generated count:  0

Log Forward in queue count:    0

Log Forward count:             337287

Log Forward discarded (queue full) count: 0

Log Forward discarded (send error) count: 0

what is the output for  show session id 1245412

Session         1245412

        c2s flow:

                source:      SRC IP[ProdApp]

                dst:         DST IP

                proto:       6

                sport:       60373           dport:      8005

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:     DST IP [Deep Dark Woods]

                dst:         SRC IP

                proto:       6

                sport:       8005            dport:      60373

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                    : Tue Jun 18 12:20:19 2013

        timeout                       : 5 sec

        total byte count(c2s)         : 0

        total byte count(s2c)         : 0

        layer7 packet count(c2s)      : 1

        layer7 packet count(s2c)      : 0

        vsys                          : vsys2

        application                   : incomplete

        rule                          : 146

        session to be logged at end   : False

        session in session ager       : False

        session synced from HA peer   : False

        layer7 processing             : enabled

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/4

        egress interface              : ethernet1/15

        session QoS rule              : N/A (class 4)

from the configure prompt what is the output for show rulebase security rules 146

for log-start, log-end and log-setting

  log-start yes;

  log-end no;

  log-setting brinkman-logging;

OK, I think I may have found what was biting me on this one.  That 146 rule is a generic rule to allow that subnet ping to anywhere.  I had the application as icmp but the service was any instead of application-default.  I just changed it to application-default and reloaded the rulebase.  Now it shows up as being denied by the explicit deny rule.  I'm still trying to understand why it wouldn't log when it saw the SYN though.

  log-end no;

it was getting associated to a rule that would not report the end of the session

Wouldn't the log-start yes cause it to log the SYN packet though.

if there is a syn and there is a allow rule for that yes you should see a log.

try to change icmp so that you should see a log.

I changed the ICMP rule service to application-default and now I get an allow log entry if I ping out and I get a deny by the explicit deny if I do something else.  Before though the traffic would get caught by this rule I'm assuming because the any service allowed all protocols not just the ICMP but why wasn't it showing a log entry of some sort when it allowed it.

I can't give an authoritative answer as to why, but the log at start does not appear to be invoked until the session establishes. With log at end set to no, it would not have shown up as an incomplete either.

Was rule 146 created at the command line by any chance?

  • 7265 Views
  • 31 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!