Daily Archives: January 12, 2012

Logging connections in the Cisco Zone-based Policy Firewall

In a previous post, we learned how to build a simple policy with the Cisco Zone-based Policy Firewall (ZFW). The current post goes one step further, by discussing some connection logging tasks in a ZFW environment.

The feature in charge of generating the Syslog messages related to connection setup and teardown for the ZFW is named audit-trail, which, as can be verified in Figure 1, is set to ‘off’ by default.

To modify this original behavior in the sample scenario of Figure 1, we defined a new parameter-map called TRACKING and bound it to the  TOP-CLASS1 class-map, as part of the inspect action. (It is simportant to emphasize that  all the other settings of the Default parameter-map remained unchanged).

This approach of creating a customized parameter-map brings more flexibility to the deployment because you could have, for instance, another class-map without the audit-trail mechanism enabled.

Figure 1: Parameter-maps and the Cisco Zone-based Policy Firewall (ZFW)

Figure 2 brings two sample audit-trail syslog messages for a telnet session going from the INSIDE zone to the OUTSIDE. It also teaches how to display information about an active connection by means of the show policy-firewall session command.

Figure 2: Sample audit-trail messages for the Cisco Zone-based Policy Firewall

 ** Topics for Study:

** Related Posts:


1 Comment

Filed under English, Firewalls, Security