Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S (ASR 1000)
Firewall High-Speed Logging
Downloads: This chapterpdf (PDF - 1.37MB) The complete bookPDF (PDF - 6.9MB) | The complete bookePub (ePub - 1.3MB) | Feedback

Firewall High-Speed Logging

The Firewall High-Speed Logging feature supports the high-speed logging (HSL) of firewall messages by using NetFlow Version 9 as the export format.

This module describes how to configure HSL for zone-based policy firewalls.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Firewall High-Speed Logging

Firewall High-Speed Logging Overview

Zone-based firewalls support high-speed logging (HSL). When HSL is configured, a firewall provides a log of packets that flow through routing devices (similar to the NetFlow Version 9 records) to an external collector. Records are sent when sessions are created and destroyed. Session records contain the full 5-tuple information (the source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements.

HSL allows a firewall to log records with minimum impact to packet processing. The firewall uses buffered mode for HSL. In buffered mode, a firewall logs records directly to the high-speed logger buffer, and exports of packets separately.

A firewall logs the following types of events:
  • Audit—Session creation and removal notifications.
  • Alert—Half-open and maximum-open TCP session notifications.
  • Drop—Packet-drop notifications.
  • Pass—Packet-pass (based on the configured rate limit) notifications.
  • Summary—Policy-drop and pass-summary notifications.

The NetFlow collector issues the show platform software interface F0 brief command to map the FW_SRC_INTF_ID and FW_DST_INTF_ID interface IDs to the interface name.

The following sample output from the show platform software interface F0 brief command shows that the ID column maps the interface ID to the interface name (Name column):

Device# show platform software interface F0 brief

Name                          ID      QFP ID   
GigabitEthernet0/2/0          16         9     
GigabitEthernet0/2/1          17        10     
GigabitEthernet0/2/2          18        11     
GigabitEthernet0/2/3          19        12     

NetFlow Field ID Descriptions

The following table lists NetFlow field IDs used within the firewall NetFlow templates:

Table 1 NetFlow Field IDs

Field ID

Type

Length

Description

NetFlow ID Fields (Layer 3 IPv4)

FW_SRC_ADDR_IPV4

8

4

Source IPv4 address

FW_DST_ADDR_IPV4

12

4

Destination IPv4 address

FW_SRC_ADDR_IPV6

27

16

Source IPv6 address

FW_SRC_ADDR_IPV6

28

16

Destination IPv6 address

FW_PROTOCOL

4

1

IP protocol value

FW_IPV4_IDENT

54

4

IPv4 identification

FW_IP_PROTOCOL_VERSION

60

1

IP protocol version

Flow ID Fields (Layer 4)

FW_TCP_FLAGS

6

1

TCP flags

FW_SRC_PORT

7

2

Source port

FW_DST_PORT

11

2

Destination port

FW_ICMP_TYPE

176

1

ICMP 1 type value

FW_ICMP_CODE

177

1

ICMP code value

FW_ICMP_IPV6_TYPE

178

1

ICMP Version 6 (ICMPv6) type value

FW_ICMP_IPV6_CODE

179

1

ICMPv6 code value

FW_TCP_SEQ

184

4

TCP sequence number

FW_TCP_ACK

185

4

TCP acknowledgment number

Flow ID Fields (Layer 7)

FW_L7_PROTOCOL_ID

95

2

Layer 7 protocol ID. Identifies the Layer 7 application classification used by firewall inspection.

Flow Name Fields (Layer 7)

FLOW_FIELD_L7_PROTOCOL_NAME

96

32

Layer 7 protocol name. Identifies the Layer 7 protocol name that corresponds to the Layer 7 protocol ID (FW_L7_PROTOCOL_ID).

Flow ID Fields (Interface)

FW_SRC_INTF_ID

10

2

Ingress SNMP 2 ifIndex

FW_DST_INTF_ID

14

2

Egress SNMP ifIndex

FW_SRC_VRF_ID

234

4

Ingress (initiator) VRF 3 ID

FW_DST_VRF_ID

235

5

Egress (responder) VRF ID

FW_VRF_NAME

236

32

VRF name

Mapped Flow ID Fields (Network Address Translation)

FW_XLATE_SRC_ADDR_IPV4

225

4

Mapped source IPv4 address

FW_XLATE_DST_ADDR_IPV4

226

4

Mapped destination IPv4 address

FW_XLATE_SRC_PORT

227

2

Mapped source port

FW_XLATE_DST_PORT

228

2

Mapped destination port

Status and Event Fields

FW_EVENT

233

1

High level event codes
  • 0—Ignore (invalid)
  • 1—Flow created
  • 2—Flow deleted
  • 3—Flow denied
  • 4—Flow alert

FW_EXT_EVENT

35,001

1

Extended event code.

Timestamp and Statistics Fields

FW_EVENT_TIME_MSEC

323

8

Time, in milliseconds, (time since 0000 hours UTC 4 January 1, 1970) when the event occurred (if the event is a microevent, use 324 and 325, if it is a nanoevent)

FW_INITIATOR_OCTETS

231

8

Total number of Layer 4 payload bytes in the packet flow that arrives from the initiator

FW_RESPONDER_OCTETS

232

8

Total number of Layer 4 payload bytes in the packet flow that arrives from the responder

AAA Fields

FW_USERNAME

40,000

20

AAA 5 user name

FW_USERNAME_MAX

40,000

64

AAA user name of the maximum permitted size

Alert Fields

FW_HALFOPEN_CNT

35,012

4

Half-open session entry count

FW_BLACKOUT_SECS

35,004

4

Time, in seconds, when the destination is blacked out or unavailable

FW_HALFOPEN_HIGH

35,005

4

Configured maximum rate of TCP half-open session entries logged in one minute

FW_HALFOPEN_RATE

35,006

4

Current rate of TCP half-open session entries logged in one minute

FW_MAX_SESSIONS

35,008

4

Maximum number of sessions allowed for this zone pair or class ID

Miscellaneous

FW_ZONEPAIR_ID

35,007

4

Zone pair ID

FW_CLASS_ID

51

4

Class ID

FW_ZONEPAIR_NAME

35,009

64

Zone pair name

FW_CLASS_NAME

100

64

Class name

FW_EXT_EVENT_DESC

35,010

64

Extended event description

FW_SUMMARY_PKT_CNT

35,011

4

Number of packets represented by the drop/pass summary record

FW_EVENT_LEVEL

33003

1

Defines the level of the logged event
  • 0x01—Per box
  • 0x02—VRF
  • 0x03—Zone
  • 0x04—Class map
  • Other values are undefined

FW_EVENT_LEVEL_ID

33,004

4

Defines the identifier for the FW_EVENT_LEVEL field
  • If FW_EVENT_LEVEL is 0x02 (VRF), this field represents VRF_ID.
  • If FW_EVENT_LEVEL is 0x03 (zone), this field represents ZONE_ID.
  • If FW_EVENT_LEVEL is 0x04 (class map), this field represents CLASS_ID.
  • In all other cases the field ID will be 0 (zero). If FW_EVENT_LEVEL is not present, the value of this field must be zero.

FW_CONFIGURED_VALUE

33,005

4

Value that represents the configured half-open, aggressive-aging, and event-rate monitoring limit. The interpretation of this field value depends on the associated FW_EXT_EVENT field.

FW_ERM_EXT_EVENT

33,006

2

Extended event-rate monitoring code

FW_ERM_EXT_EVENT_DESC

33,007

N (string)

Extended event-rate monitoring event description string

1 Internet Control Message Protocol
2 Simple Network Management Protocol
3 virtual routing and forwarding
4 Coordinated Universal Time
5 Authentication, Authorization, and Accounting

Firewall Extended Events

The event name of the firewall extended event maps the firewall extended event value to an event ID. Use the event name option record to obtain the mapping between an event value and an event ID.

Extended events are not part of standard firewall events (inspect, pass, or drop).

The following table describes the firewall extended events applicable prior to Cisco IOS XE Release 3.9S.

Table 2 Firewall Extended Events and Event Descriptions for Releases earlier than Cisco IOS XE Release 3.9S

Value

Event ID

Description

0

FW_EXT_LOG_NONE

No specific extended event.

1

FW_EXT_ALERT_UNBLOCK_HOST

New TCP connection attempts to the specified host are no longer blocked.

2

FW_EXT_ALERT_HOST_TCP_ALERT_ON

Maximum incomplete host limit for half-open TCP connections are exceeded.

3

FW_EXT_ALERT_BLOCK_HOST

All subsequent new TCP connection attempts to the specified host are denied because the maximum incomplete host threshold of half-open TCP connections is exceeded, and the blocking option is configured to block subsequent new connections.

4

FW_EXT_SESS_RATE_ALERT_ON

Maximum incomplete high threshold of half-open connections is exceeded, or the new connection initiation rate is exceeded.

5

FW_EXT_SESS_RATE_ALERT_OFF

Number of half-open TCP connections is below the maximum incomplete low threshold, or the new connection initiation rate has gone below the maximum incomplete low threshold.

6

FW_EXT_RESET

Reset connection.

7

FW_EXT_DROP

Drop connection.

10

FW_EXT_L4_NO_NEW_SESSION

No new session is allowed.

12

FW_EXT_L4_INVALID_SEG

Invalid TCP segment.

13

FW_EXT_L4_INVALID_SEQ

Invalid TCP sequence number.

14

FW_EXT_L4_INVALID_ACK

Invalid TCP acknowledgment (ACK).

15

FW_EXT_L4_INVALID_FLAGS

Invalid TCP flags.

16

FW_EXT_L4_INVALID_CHKSM

Invalid TCP checksum.

18

FW_EXT_L4_INVALID_WINDOW_SCALE

Invalid TCP window scale.

19

FW_EXT_L4_INVALID_TCP_OPTIONS

Invalid TCP options.

20

FW_EXT_L4_INVALID_HDR

Invalid Layer 4 header.

21

FW_EXT_L4_OOO_INVALID_SEG

OoO 6 invalid segment.

24

FW_EXT_L4_SYNFLOOD_DROP

Synchronized (SYN) flood packets are dropped.

25

FW_EXT_L4_SCB_CLOSED

Session is closed while receiving packets.

26

FW_EXT_L4_INTERNAL_ERR

Firewall internal error.

27

FW_EXT_L4_OOO_SEG

OoO segment.

28

FW_EXT_L4_RETRANS_INVALID_FLAGS

Invalid retransmitted packet.

29

FW_EXT_L4_SYN_IN_WIN

Invalid SYN flag.

30

FW_EXT_L4_RST_IN_WIN

Invalid reset (RST) flag.

31

FW_EXT_L4_STRAY_SEG

Stray TCP segment.

32

FW_EXT_L4_RST_TO_RESP

Sending reset message to the responder.

33

FW_EXT_L4_CLOSE_SCB

Closing a session.

34

FW_EXT_L4_ICMP_INVAL_RET

Invalid ICMP 7 packet.

37

FW_EXT_L4_MAX_HALFSESSION

Maximum half-open session limit is exceeded.

38

FW_EXT_NO_RESOURCE

Resources (memory) are not available.

40

FW_EXT_INVALID_ZONE

Invalid zone.

41

FW_EXT_NO_ZONE_PAIR

Zone pairs are not available.

42

FW_EXT_NO_TRAFFIC_ALLOWED

Traffic is not allowed.

43

FW_EXT_FRAGMENT

Packet fragments are dropped.

44

FW_EXT_PAM_DROP

PAM 8 action is dropped.

45

FW_EXT_NOT_INITIATOR

Not a session-initiating packet.

Occurs due to one of the following reasons:
  • If the protocol is TCP, the first packet is not a SYN packet.
  • If the protocol is ICMP, the first packet is not an ECHO or a TIMESTAMP packet.

48

FW_EXT_ICMP_ERROR_PKTS_BURST

ICMP error packets came in burst mode. In burst mode, packets are sent repeatedly without waiting for a response from the responder interface.

49

FW_EXT_ICMP_ERROR_MULTIPLE_UNREACH

More than one ICMP error of type “destination unreachable” is received.

50

FW_EXT_ICMP_ERROR_L4_INVALID_SEQ

Embedded packet in the ICMP error message has an invalid sequence number.

51

FW_EXT_ICMP_ERROR_L4_INVALID_ACK

Embedded packet in the ICMP error message has an invalid acknowledge (ACK) number.

52

FW_EXT_MAX

Never used.

6 Out-of-Order
7 Internet Control Message Protocol
8 Port-to-Application Mapping

How to Configure Firewall High-Speed Logging

Enabling High-Speed Logging for Global Parameter Maps

By default, high-speed logging (HSL) is not enabled and firewall logs are sent to a logger buffer located in the Route Processor (RP) or the console. When HSL is enabled, logs are sent to an off-box, high-speed log collector. Parameter maps provide a means of performing actions on the traffic that reaches a firewall and a global parameter map applies to the entire firewall session table. Perform this task to enable high-speed logging for global parameter maps.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    parameter-map type inspect global

    4.    log dropped-packets

    5.    log flow-export v9 udp destination ip-address port-number

    6.    log flow-export template timeout-rate seconds

    7.    end


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 parameter-map type inspect global


    Example:
    Device(config)# parameter-map type inspect global
     

    Configures a global parameter map and enters parameter-map type inspect configuration mode.

     
    Step 4 log dropped-packets


    Example:
    Device(config-profile)# log dropped-packets
     

    Enables dropped-packet logging.

     
    Step 5 log flow-export v9 udp destination ip-address port-number


    Example:
    Device(config-profile)# log flow-export v9 udp destination 10.0.2.0 5000
     

    Enables NetFlow event logging and provides the IP address and the port number of the log collector.

     
    Step 6 log flow-export template timeout-rate seconds


    Example:
    Device(config-profile) log flow-export template timeout-rate 5000 
     

    Specifies the template timeout value.

     
    Step 7 end


    Example:
    Device(config-profile)# end
     

    Exits parameter-map type inspect configuration mode and returns to privileged EXEC mode.

     

    Enabling High-Speed Logging for Firewall Actions

    Perform this task enable high-speed logging if you have configured inspect-type parameter maps. Parameter maps specify inspection behavior for the firewall and inspection parameter-maps for the firewall are configured as the inspect type.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    parameter-map type inspect parameter-map-name

      4.    audit-trail on

      5.    alert on

      6.    one-minute {low number-of-connections | high number-of-connections}

      7.    tcp max-incomplete host threshold

      8.    exit

      9.    policy-map type inspect policy-map-name

      10.    class type inspect class-map-name

      11.    inspect parameter-map-name

      12.    end


    DETAILED STEPS
        Command or Action Purpose
      Step 1 enable


      Example:
      Device> enable  
       
      Enables privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 parameter-map type inspect parameter-map-name


      Example:
      Device(config)# parameter-map type inspect parameter-map-hsl
       

      Configures an inspect parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect keyword, and enters parameter-map type inspect configuration mode.

       
      Step 4 audit-trail on


      Example:
      Device(config-profile)# audit-trail on
       
      Enables audit trail messages.
      • You can enable audit-trail to a parameter map to record the start, stop, and duration of a connection or session, and the source and destination IP addresses.
       
      Step 5 alert on


      Example:
      Device(config-profile)# alert on
       

      Enables stateful-packet inspection alert messages that are displayed on the console.

       
      Step 6 one-minute {low number-of-connections | high number-of-connections}


      Example:
      Device(config-profile)# one-minute high 10000
       

      Defines the number of new unestablished sessions that cause the system to start deleting half-open sessions and stop deleting half-open sessions.

       
      Step 7 tcp max-incomplete host threshold


      Example:
      Device(config-profile)# tcp max-incomplete host 100
       

      Specifies the threshold and blocking time values for TCP host-specific, denial of service (DoS) detection and prevention.

       
      Step 8 exit


      Example:
      Device(config-profile)# exit  
       

      Exits parameter-map type inspect configuration mode and returns to global configuration mode.

       
      Step 9 policy-map type inspect policy-map-name


      Example:
      Device(config)# policy-map type inspect policy-map-hsl
       

      Creates an inspect-type policy map and enters policy map configuration mode.

       
      Step 10 class type inspect class-map-name


      Example:
      Device(config-pmap)# class type inspect class-map-tcp
       

      Specifies the traffic class on which an action is to be performed and enters policy-map class configuration mode.

       
      Step 11 inspect parameter-map-name


      Example:
      Device(config-pmap-c)# inspect parameter-map-hsl
       

      (Optional) Enables stateful packet inspection.

       
      Step 12 end


      Example:
      Device(config-pmap-c)# end  
       

      Exits policy-map class configuration mode and returns to privileged EXEC mode.

       

      Configuration Examples for Firewall High-Speed Logging

      Example: Enabling High-Speed Logging for Global Parameter Maps

      The following example shows how to enable logging of dropped packets, and to log error messages in NetFlow Version 9 format to an external IP address:

      Device# configure terminal
      Device(config)# parameter-map type inspect global
      Device(config-profile)# log dropped-packets
      Device(config-profile)# log flow-export v9 udp destination 10.0.2.0 5000
      Device(config-profile)# log flow-export template timeout-rate 5000
      Device(config-profile)# end

      Example: Enabling High-Speed Logging for Firewall Actions

      The following example shows how to configure high-speed logging (HSL) for inspect-type parameter-map parameter-map-hsl.

      Device# configure terminal
      Device(config)# parameter-map type inspect parameter-map-hsl
      Device(config-profile)# audit trail on
      Device(config-profile)# alert on
      Device(config-profile)# one-minute high 10000
      Device(config-profile)# tcp max-incomplete host 100
      Device(config-profile)# exit
      Device(config)# poliy-map type inspect policy-map-hsl
      Device(config-pmap)# class type inspect class-map-tcp
      Device(config-pmap-c)# inspect parameter-map-hsl
      Device(config-pmap-c)# end

      Additional References for Firewall High-Speed Logging

      Technical Assistance

      Description

      Link

      The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

      http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

      Feature Information for Firewall High-Speed Logging

      The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

      Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

      Table 3 Feature Information for Firewall High-Speed Logging

      Feature Name

      Releases

      Feature Information

      Firewall High-Speed Logging

      Cisco IOS XE Release 2.1

      The Firewall High-Speed Logging Support feature introduces support for the firewall HSL using NetFlow Version 9 as the export format.

      The following commands were introduced or modified: log dropped-packet, log flow-export v9 udp destination, log flow-export template timeout-rate, parameter-map type inspect global.