Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Re: Appropriate PIX logging level
From: Tichomir Kotek <tichomir.kotek () lynx sk>
Date: Fri, 05 May 2006 09:40:21 +0200

Paul Melson wrote:
-----Original Message-----
Subject: Re: [fw-wiz] Appropriate PIX logging level

David Lang wrote:
I was actually just starting to look into this, I'm being blasted by 
the messages from the pix when it rejects a broadcast packet (I'm 
getting 43,000 log entries per day based on the firewalls rejecting 
each server that's in a HA configuration and useing broadcast udp 
packets for their heartbeat, that adds up to a LOT of log entries when 
there are several dozen such clusters)

If what you need is for the PIX to handle but not log certain policy events,
use 'log disable' in your ACLs:

access-list acl_inside deny udp any 10.0.255.255 eq 694 log disable

this actually will not work *when* 10.0.255.255 is ip broadcast for
inside IP address. You will get zero ACL hit and 710005 message telling
that something aimed to inside intf is dropped. (tested on 6.3 with
udp/137-138 broadcasts)

tk

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault