Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-18-2013 07:09 AM
OK a little background first I'm running 4.1 on a 5050 pair in A/P. I have a server that is trying to do 80 and 443 out to a specific address and we have some logging wierdness going on. If we don't have a rule in place allowing the traffic it will not show up with a log entry. If I do a packet capture I see it in the receive stage but not any other stage. At the very least I would expect to see it in the drop stage, also, it isn't showing up in any of the logs or being sent to our syslog server. If I have a rule in place allowing the traffic it will show up in the logs. I have verified that my any,any,deny at the end of the ruleset is logging at both the start and end of the session and I'm still not seeing anything. We are using the Anti-Spyware and Vulnerability protection but it currently is only setup in alert mode so it shouldn't be blocking. Also, I have tried connecting with different ports just to make sure it wasn't a specific application issue and that has no effect.
Any help is appreciated.
Kris
06-18-2013 10:11 AM
Are you seeing incomplete traffic associated to another rule?
06-18-2013 10:14 AM
I was seeing incompletes in the logs with the connection before the distant end opened it up. I'm currently seeing it from another client IP here that I know the other end has yet to add to their firewalls.
06-18-2013 10:16 AM
are you seeing sessions for the traffic in the session tables?
06-18-2013 10:27 AM
>debug log-receiver statistics
what's your output
06-18-2013 10:27 AM
Yes I am, they show up as below(IPs sanitized).
| 1245412 undecided | ACTIVE FLOW 144.100.71.22[60373]/ProdApp/6 ("SRC IP"[60373]) |
| vsys2 | "DST IP"[8005]/Deep Dark Woods (8.8.8.8[8005]) |
06-18-2013 10:32 AM
Logging statistics
------------------------------ -----------
Log incoming rate: 195/sec
Log written rate: 195/sec
Corrupted packets: 0
Corrupted URL packets: 0
Logs discarded (queue full): 0
Traffic logs written: 336744
URL logs written: 0
Anti-virus logs written: 0
Spyware logs written: 0
Attack logs written: 0
Vulnerability logs written: 543
Fileext logs written: 0
URL cache age out count: 0
URL cache full count: 0
Traffic alarms dropped due to sysd write failures: 0
Traffic alarms dropped due to global rate limiting: 0
Traffic alarms dropped due to each source rate limiting: 0
Traffic alarms generated count: 0
Log Forward in queue count: 0
Log Forward count: 337287
Log Forward discarded (queue full) count: 0
Log Forward discarded (send error) count: 0
06-18-2013 10:33 AM
what is the output for show session id 1245412
06-18-2013 10:36 AM
Session 1245412
c2s flow:
source: SRC IP[ProdApp]
dst: DST IP
proto: 6
sport: 60373 dport: 8005
state: INIT type: FLOW
src user: unknown
dst user: unknown
s2c flow:
source: DST IP [Deep Dark Woods]
dst: SRC IP
proto: 6
sport: 8005 dport: 60373
state: INIT type: FLOW
src user: unknown
dst user: unknown
start time : Tue Jun 18 12:20:19 2013
timeout : 5 sec
total byte count(c2s) : 0
total byte count(s2c) : 0
layer7 packet count(c2s) : 1
layer7 packet count(s2c) : 0
vsys : vsys2
application : incomplete
rule : 146
session to be logged at end : False
session in session ager : False
session synced from HA peer : False
layer7 processing : enabled
URL filtering enabled : False
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
captive portal session : False
ingress interface : ethernet1/4
egress interface : ethernet1/15
session QoS rule : N/A (class 4)
06-18-2013 10:42 AM
from the configure prompt what is the output for show rulebase security rules 146
for log-start, log-end and log-setting
06-18-2013 10:51 AM
log-start yes;
log-end no;
log-setting brinkman-logging;
OK, I think I may have found what was biting me on this one. That 146 rule is a generic rule to allow that subnet ping to anywhere. I had the application as icmp but the service was any instead of application-default. I just changed it to application-default and reloaded the rulebase. Now it shows up as being denied by the explicit deny rule. I'm still trying to understand why it wouldn't log when it saw the SYN though.
06-18-2013 10:55 AM
log-end no;
it was getting associated to a rule that would not report the end of the session
06-18-2013 11:02 AM
Wouldn't the log-start yes cause it to log the SYN packet though.
06-18-2013 11:33 AM
if there is a syn and there is a allow rule for that yes you should see a log.
try to change icmp so that you should see a log.
06-18-2013 11:43 AM
I changed the ICMP rule service to application-default and now I get an allow log entry if I ping out and I get a deny by the explicit deny if I do something else. Before though the traffic would get caught by this rule I'm assuming because the any service allowed all protocols not just the ICMP but why wasn't it showing a log entry of some sort when it allowed it.
06-18-2013 01:06 PM
I can't give an authoritative answer as to why, but the log at start does not appear to be invoked until the session establishes. With log at end set to no, it would not have shown up as an incomplete either.
Was rule 146 created at the command line by any chance?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
