Re: Pix info - audit info and logging and general

From: Travis Pugh (tdp@discombobulated.net)
Date: Wed Nov 28 2001 - 11:33:43 EST


"fingers" <fingers@fingers.co.za> wrote:

> Hi all
>
> I wonder if someone could assist me. I've done a fair amount of rtfm'ing
> on CCO, but can't seem to find what I'm looking for.
>
> 1) I'm wanting to enable logging for auditing purposes. Not just talking
> about acl drops, but actual audit info that can be used at a later stage
> if there's any queries wrt what let's say ip a.b.c.d did to ip e.f.g.h.
> I've found various log levels in the pix docs, but can't seem to find a
> way for full audit logging. Yes, I do understand there's a fair bit of a
> performance impact doing something like this.

Not sure what you're looking for exactly here ... the PIX is only going to
log a certain amount of info about anything. If you want info about what
a.b.c.d did to ip e.f.g.h, and it's going over something that's allowed in
your ACLs, you'd need close to debug level logging ...

I'm logging informational on a couple of pixen, and get things like:
304001: xxx.xxx.xxx.xx Accessed URL
xxx.xxx.xxx.xx:/GMES/get.html?target=GMR&z=136037049

>
> 2) any general firewall/pix specific url's, lists etc. where I could
> scrounge up some howto's etc. I've got a few off CCO but their topics
> don't cover that wide a scope of issues.

in specific reference to log analysis, I've not found anything useful on CCO
(no, I don't use firewall manager, as I don't run NT)

I've been looking at several of the tools at
http://www.counterpane.com/log-analysis.html and many of them are capable
of grinding PIX logs and creating audit-style information. However,
depending on the level of detail you're looking for, it might be easier to
put a box running snort outside your firewall and grab all the packets on
the wire for further analysis.

-travis

>
> Thanks in advance
>
> --Rob
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:13:24 EDT