Tag Archives: parameter-map

Logging dropped packets with the Cisco Zone-based Policy Firewall

The previous post about the Cisco Zone-based Policy Firewall (ZFW) discussed how to log connection setup and termination. The current one will focus on making information about dropped packets visible (by means of Syslog messages). The auxiliary configuration element that gets the job done is the parameter-map type inspect that has the reserved name global.

Figure 1 brings a summary of the topology and associated ZFW policy employed in the posts so far.

Figure 1: Reference topology and associated ZFW policy

Figure 2 shows how to turn on the logging of packets dropped by the Cisco Zone-based Policy Firewall. Some points to be aware of:
  • This action of logging dropped packets is disabled by default.
  • The settings inside the global parameter-map apply to all the classes and are not available as options under the default or user-defined parameter-maps (which were analyzed in the previous ZFW post).
  • When a packet is dropped by the drop action under a class, the class name is registered in the Syslog message.
  • Syslog messages that represent packets dropped as a result of the default denybehavior (which was the subject of a previous post) do not contain a class name.

    Figure 2: Logging dropped packets with the Cisco Zone-based Policy Firewalls

 ** Topics for Study:
  • Compare the parameter-maps examined up to now: default, global and user-defined.
  • Contrast the tasks of logging connections and dropped packets in a ZFW scenario.
  • Make sure you understand the difference between class-based drops and packets dropped by the default-deny behavior of the ZFW.
  • Remember that the default and global categories of parameter-maps were introduced in Cisco IOS 15.X. Pre-15 releases used a different syntax to log dropped packets.

** Related Posts:

Leave a comment

Filed under English, Firewalls, Security

Logging connections in the Cisco Zone-based Policy Firewall

In a previous post, we learned how to build a simple policy with the Cisco Zone-based Policy Firewall (ZFW). The current post goes one step further, by discussing some connection logging tasks in a ZFW environment.

The feature in charge of generating the Syslog messages related to connection setup and teardown for the ZFW is named audit-trail, which, as can be verified in Figure 1, is set to ‘off’ by default.

To modify this original behavior in the sample scenario of Figure 1, we defined a new parameter-map called TRACKING and bound it to the  TOP-CLASS1 class-map, as part of the inspect action. (It is simportant to emphasize that  all the other settings of the Default parameter-map remained unchanged).

This approach of creating a customized parameter-map brings more flexibility to the deployment because you could have, for instance, another class-map without the audit-trail mechanism enabled.

Figure 1: Parameter-maps and the Cisco Zone-based Policy Firewall (ZFW)

Figure 2 brings two sample audit-trail syslog messages for a telnet session going from the INSIDE zone to the OUTSIDE. It also teaches how to display information about an active connection by means of the show policy-firewall session command.

Figure 2: Sample audit-trail messages for the Cisco Zone-based Policy Firewall

 ** Topics for Study:

** Related Posts:

1 Comment

Filed under English, Firewalls, Security