-
Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
-
Zone-Based Policy Firewall
-
Zone-Based Policy Firewall IPv6 Support
-
VRF-Aware Cisco IOS XE Firewall
-
Nested Class Map Support for Zone-Based Policy Firewall
-
Configuring Firewall Stateful Interchassis Redundancy
-
Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
-
Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
-
Interchassis High Availability Support in IPv6 Zone-Based Firewalls
-
Firewall Stateful Inspection of ICMP
-
Firewall Support of Skinny Client Control Protocol
-
Configuring the VRF-Aware Software Infrastructure
-
IPv6 Zone-Based Firewall Support over VASI Interfaces
-
Protection Against Distributed Denial of Service Attacks
-
Configuring Firewall Resource Management
-
IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
-
Configuring Firewall TCP SYN Cookie
-
Configuring GPRS Tunneling Protocol Support
-
GPRS Tunneling Protocol V2\nSupport
-
GGSN Pooling Support for Firewalls
-
Cisco Firewall-SIP Enhancements ALG
-
MSRPC ALG Support for Firewall and NAT
-
Sun RPC ALG Support for Firewalls and NAT
-
vTCP for ALG Support
-
ALG—H.323 vTCP with High Availability Support for Firewall and NAT
-
FTP66 ALG Support for IPv6 Firewalls
-
SIP ALG Hardening for NAT and Firewall
-
TCP Reset Segment Control
-
Firewall High-Speed Logging
-
Feedback
Contents
- Firewall High-Speed Logging
- Finding Feature Information
- Information About Firewall High-Speed Logging
- Firewall High-Speed Logging Overview
- NetFlow Field ID Descriptions
- Firewall Extended Events
- How to Configure Firewall High-Speed Logging
- Enabling High-Speed Logging for Global Parameter Maps
- Enabling High-Speed Logging for Firewall Actions
- Configuration Examples for Firewall High-Speed Logging
- Example: Enabling High-Speed Logging for Global Parameter Maps
- Example: Enabling High-Speed Logging for Firewall Actions
- Additional References for Firewall High-Speed Logging
- Feature Information for Firewall High-Speed Logging
Firewall High-Speed Logging
The Firewall High-Speed Logging feature supports the high-speed logging (HSL) of firewall messages by using NetFlow Version 9 as the export format.
This module describes how to configure HSL for zone-based policy firewalls.
- Finding Feature Information
- Information About Firewall High-Speed Logging
- How to Configure Firewall High-Speed Logging
- Configuration Examples for Firewall High-Speed Logging
- Additional References for Firewall High-Speed Logging
- Feature Information for Firewall High-Speed Logging
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About Firewall High-Speed Logging
Firewall High-Speed Logging Overview
Zone-based firewalls support high-speed logging (HSL). When HSL is configured, a firewall provides a log of packets that flow through routing devices (similar to the NetFlow Version 9 records) to an external collector. Records are sent when sessions are created and destroyed. Session records contain the full 5-tuple information (the source IP address, destination IP address, source port, destination port, and protocol). A tuple is an ordered list of elements.
HSL allows a firewall to log records with minimum impact to packet processing. The firewall uses buffered mode for HSL. In buffered mode, a firewall logs records directly to the high-speed logger buffer, and exports of packets separately.
A firewall logs the following types of events:The NetFlow collector issues the show platform software interface F0 brief command to map the FW_SRC_INTF_ID and FW_DST_INTF_ID interface IDs to the interface name.
The following sample output from the show platform software interface F0 brief command shows that the ID column maps the interface ID to the interface name (Name column):
Device# show platform software interface F0 brief Name ID QFP ID GigabitEthernet0/2/0 16 9 GigabitEthernet0/2/1 17 10 GigabitEthernet0/2/2 18 11 GigabitEthernet0/2/3 19 12NetFlow Field ID Descriptions
The following table lists NetFlow field IDs used within the firewall NetFlow templates:
Table 1 NetFlow Field IDs Field ID
Type
Length
Description
NetFlow ID Fields (Layer 3 IPv4)
FW_SRC_ADDR_IPV4
8
4
Source IPv4 address
FW_DST_ADDR_IPV4
12
4
Destination IPv4 address
FW_SRC_ADDR_IPV6
27
16
Source IPv6 address
FW_SRC_ADDR_IPV6
28
16
Destination IPv6 address
FW_PROTOCOL
4
1
IP protocol value
FW_IPV4_IDENT
54
4
IPv4 identification
FW_IP_PROTOCOL_VERSION
60
1
IP protocol version
Flow ID Fields (Layer 4)
FW_TCP_FLAGS
6
1
TCP flags
FW_SRC_PORT
7
2
Source port
FW_DST_PORT
11
2
Destination port
FW_ICMP_TYPE
176
1
ICMP 1 type value
FW_ICMP_CODE
177
1
ICMP code value
FW_ICMP_IPV6_TYPE
178
1
ICMP Version 6 (ICMPv6) type value
FW_ICMP_IPV6_CODE
179
1
ICMPv6 code value
FW_TCP_SEQ
184
4
TCP sequence number
FW_TCP_ACK
185
4
TCP acknowledgment number
Flow ID Fields (Layer 7)
FW_L7_PROTOCOL_ID
95
2
Layer 7 protocol ID. Identifies the Layer 7 application classification used by firewall inspection.
Flow Name Fields (Layer 7)
FLOW_FIELD_L7_PROTOCOL_NAME
96
32
Layer 7 protocol name. Identifies the Layer 7 protocol name that corresponds to the Layer 7 protocol ID (FW_L7_PROTOCOL_ID).
Flow ID Fields (Interface)
FW_SRC_INTF_ID
10
2
Ingress SNMP 2 ifIndex
FW_DST_INTF_ID
14
2
Egress SNMP ifIndex
FW_SRC_VRF_ID
234
4
Ingress (initiator) VRF 3 ID
FW_DST_VRF_ID
235
5
Egress (responder) VRF ID
FW_VRF_NAME
236
32
VRF name
Mapped Flow ID Fields (Network Address Translation)
FW_XLATE_SRC_ADDR_IPV4
225
4
Mapped source IPv4 address
FW_XLATE_DST_ADDR_IPV4
226
4
Mapped destination IPv4 address
FW_XLATE_SRC_PORT
227
2
Mapped source port
FW_XLATE_DST_PORT
228
2
Mapped destination port
Status and Event Fields
FW_EVENT
233
1
FW_EXT_EVENT
35,001
1
Extended event code.
Timestamp and Statistics Fields
FW_EVENT_TIME_MSEC
323
8
Time, in milliseconds, (time since 0000 hours UTC 4 January 1, 1970) when the event occurred (if the event is a microevent, use 324 and 325, if it is a nanoevent)
FW_INITIATOR_OCTETS
231
8
Total number of Layer 4 payload bytes in the packet flow that arrives from the initiator
FW_RESPONDER_OCTETS
232
8
Total number of Layer 4 payload bytes in the packet flow that arrives from the responder
AAA Fields
FW_USERNAME
40,000
20
AAA 5 user name
FW_USERNAME_MAX
40,000
64
AAA user name of the maximum permitted size
Alert Fields
FW_HALFOPEN_CNT
35,012
4
Half-open session entry count
FW_BLACKOUT_SECS
35,004
4
Time, in seconds, when the destination is blacked out or unavailable
FW_HALFOPEN_HIGH
35,005
4
Configured maximum rate of TCP half-open session entries logged in one minute
FW_HALFOPEN_RATE
35,006
4
Current rate of TCP half-open session entries logged in one minute
FW_MAX_SESSIONS
35,008
4
Maximum number of sessions allowed for this zone pair or class ID
Miscellaneous
FW_ZONEPAIR_ID
35,007
4
Zone pair ID
FW_CLASS_ID
51
4
Class ID
FW_ZONEPAIR_NAME
35,009
64
Zone pair name
FW_CLASS_NAME
100
64
Class name
FW_EXT_EVENT_DESC
35,010
64
Extended event description
FW_SUMMARY_PKT_CNT
35,011
4
Number of packets represented by the drop/pass summary record
FW_EVENT_LEVEL
33003
1
FW_EVENT_LEVEL_ID
33,004
4
- If FW_EVENT_LEVEL is 0x02 (VRF), this field represents VRF_ID.
- If FW_EVENT_LEVEL is 0x03 (zone), this field represents ZONE_ID.
- If FW_EVENT_LEVEL is 0x04 (class map), this field represents CLASS_ID.
- In all other cases the field ID will be 0 (zero). If FW_EVENT_LEVEL is not present, the value of this field must be zero.
FW_CONFIGURED_VALUE
33,005
4
Value that represents the configured half-open, aggressive-aging, and event-rate monitoring limit. The interpretation of this field value depends on the associated FW_EXT_EVENT field.
FW_ERM_EXT_EVENT
33,006
2
Extended event-rate monitoring code
FW_ERM_EXT_EVENT_DESC
33,007
N (string)
Extended event-rate monitoring event description string
1 Internet Control Message Protocol2 Simple Network Management Protocol3 virtual routing and forwarding4 Coordinated Universal Time5 Authentication, Authorization, and AccountingFirewall Extended Events
The event name of the firewall extended event maps the firewall extended event value to an event ID. Use the event name option record to obtain the mapping between an event value and an event ID.
Extended events are not part of standard firewall events (inspect, pass, or drop).
The following table describes the firewall extended events applicable prior to Cisco IOS XE Release 3.8S.
Table 2 Firewall Extended Events and Event Descriptions for Releases earlier than Cisco IOS XE Release 3.9S Value
Event ID
Description
0
FW_EXT_LOG_NONE
No specific extended event.
1
FW_EXT_ALERT_UNBLOCK_HOST
New TCP connection attempts to the specified host are no longer blocked.
2
FW_EXT_ALERT_HOST_TCP_ALERT_ON
Maximum incomplete host limit for half-open TCP connections are exceeded.
3
FW_EXT_ALERT_BLOCK_HOST
All subsequent new TCP connection attempts to the specified host are denied because the maximum incomplete host threshold of half-open TCP connections is exceeded, and the blocking option is configured to block subsequent new connections.
4
FW_EXT_SESS_RATE_ALERT_ON
Maximum incomplete high threshold of half-open connections is exceeded, or the new connection initiation rate is exceeded.
5
FW_EXT_SESS_RATE_ALERT_OFF
Number of half-open TCP connections is below the maximum incomplete low threshold, or the new connection initiation rate has gone below the maximum incomplete low threshold.
6
FW_EXT_RESET
Reset connection.
7
FW_EXT_DROP
Drop connection.
10
FW_EXT_L4_NO_NEW_SESSION
No new session is allowed.
12
FW_EXT_L4_INVALID_SEG
Invalid TCP segment.
13
FW_EXT_L4_INVALID_SEQ
Invalid TCP sequence number.
14
FW_EXT_L4_INVALID_ACK
Invalid TCP acknowledgment (ACK).
15
FW_EXT_L4_INVALID_FLAGS
Invalid TCP flags.
16
FW_EXT_L4_INVALID_CHKSM
Invalid TCP checksum.
18
FW_EXT_L4_INVALID_WINDOW_SCALE
Invalid TCP window scale.
19
FW_EXT_L4_INVALID_TCP_OPTIONS
Invalid TCP options.
20
FW_EXT_L4_INVALID_HDR
Invalid Layer 4 header.
21
FW_EXT_L4_OOO_INVALID_SEG
OoO 6 invalid segment.
24
FW_EXT_L4_SYNFLOOD_DROP
Synchronized (SYN) flood packets are dropped.
25
FW_EXT_L4_SCB_CLOSED
Session is closed while receiving packets.
26
FW_EXT_L4_INTERNAL_ERR
Firewall internal error.
27
FW_EXT_L4_OOO_SEG
OoO segment.
28
FW_EXT_L4_RETRANS_INVALID_FLAGS
Invalid retransmitted packet.
29
FW_EXT_L4_SYN_IN_WIN
Invalid SYN flag.
30
FW_EXT_L4_RST_IN_WIN
Invalid reset (RST) flag.
31
FW_EXT_L4_STRAY_SEG
Stray TCP segment.
32
FW_EXT_L4_RST_TO_RESP
Sending reset message to the responder.
33
FW_EXT_L4_CLOSE_SCB
Closing a session.
34
FW_EXT_L4_ICMP_INVAL_RET
Invalid ICMP 7 packet.
37
FW_EXT_L4_MAX_HALFSESSION
Maximum half-open session limit is exceeded.
38
FW_EXT_NO_RESOURCE
Resources (memory) are not available.
40
FW_EXT_INVALID_ZONE
Invalid zone.
41
FW_EXT_NO_ZONE_PAIR
Zone pairs are not available.
42
FW_EXT_NO_TRAFFIC_ALLOWED
Traffic is not allowed.
43
FW_EXT_FRAGMENT
Packet fragments are dropped.
44
FW_EXT_PAM_DROP
PAM 8 action is dropped.
45
FW_EXT_NOT_INITIATOR
Not a session-initiating packet.
48
FW_EXT_ICMP_ERROR_PKTS_BURST
ICMP error packets came in burst mode. In burst mode, packets are sent repeatedly without waiting for a response from the responder interface.
49
FW_EXT_ICMP_ERROR_MULTIPLE_UNREACH
More than one ICMP error of type “destination unreachable” is received.
50
FW_EXT_ICMP_ERROR_L4_INVALID_SEQ
Embedded packet in the ICMP error message has an invalid sequence number.
51
FW_EXT_ICMP_ERROR_L4_INVALID_ACK
Embedded packet in the ICMP error message has an invalid acknowledge (ACK) number.
52
FW_EXT_MAX
Never used.
6 Out-of-Order7 Internet Control Message Protocol8 Port-to-Application MappingHow to Configure Firewall High-Speed Logging
Enabling High-Speed Logging for Global Parameter Maps
SUMMARY STEPSBy default, high-speed logging (HSL) is not enabled and firewall logs are sent to a logger buffer located in the Route Processor (RP) or the console. When HSL is enabled, logs are sent to an off-box, high-speed log collector. Parameter maps provide a means of performing actions on the traffic that reaches a firewall and a global parameter map applies to the entire firewall session table. Perform this task to enable high-speed logging for global parameter maps.
1. enable
2. configure terminal
3. parameter-map type inspect global
4. log dropped-packets
5. log flow-export v9 udp destination ip-address port-number
6. log flow-export template timeout-rate seconds
7. end
DETAILED STEPSEnabling High-Speed Logging for Firewall Actions
SUMMARY STEPSPerform this task enable high-speed logging if you have configured inspect-type parameter maps. Parameter maps specify inspection behavior for the firewall and inspection parameter-maps for the firewall are configured as the inspect type.
1. enable
2. configure terminal
3. parameter-map type inspect parameter-map-name
4. audit-trail on
5. alert on
6. one-minute {low number-of-connections | high number-of-connections}
7. tcp max-incomplete host threshold
8. exit
9. policy-map type inspect policy-map-name
10. class type inspect class-map-name
11. inspect parameter-map-name
12. end
DETAILED STEPSConfiguration Examples for Firewall High-Speed Logging
Example: Enabling High-Speed Logging for Global Parameter Maps
The following example shows how to enable logging of dropped packets, and to log error messages in NetFlow Version 9 format to an external IP address:
Device# configure terminal Device(config)# parameter-map type inspect global Device(config-profile)# log dropped-packets Device(config-profile)# log flow-export v9 udp destination 10.0.2.0 5000 Device(config-profile)# log flow-export template timeout-rate 5000 Device(config-profile)# endExample: Enabling High-Speed Logging for Firewall Actions
The following example shows how to configure high-speed logging (HSL) for inspect-type parameter-map parameter-map-hsl.
Device# configure terminal Device(config)# parameter-map type inspect parameter-map-hsl Device(config-profile)# audit trail on Device(config-profile)# alert on Device(config-profile)# one-minute high 10000 Device(config-profile)# tcp max-incomplete host 100 Device(config-profile)# exit Device(config)# poliy-map type inspect policy-map-hsl Device(config-pmap)# class type inspect class-map-tcp Device(config-pmap-c)# inspect parameter-map-hsl Device(config-pmap-c)# endAdditional References for Firewall High-Speed Logging
Technical Assistance
Description
Link
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.
Feature Information for Firewall High-Speed Logging
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 3 Feature Information for Firewall High-Speed Logging Feature Name
Releases
Feature Information
Firewall High-Speed Logging
Cisco IOS XE Release 2.1
The Firewall High-Speed Logging Support feature introduces support for the firewall HSL using NetFlow Version 9 as the export format.
The following commands were introduced or modified: log dropped-packet, log flow-export v9 udp destination, log flow-export template timeout-rate, parameter-map type inspect global.