Table of Contents

Monitoring and Reporting

The monitoring and reporting functions are based on the ability to generate and review audit events. When using Firewall MC, you must consider two types of events:

Firewall MC provides part of the full audit functionality provided by VMS. Although Firewall MC completely addresses administrative events, it relies on Security Monitor to collect, retain, and categorize the network activity records. Firewall MC configures the devices to generate and publish the audit records, in the form of syslog records, to Security Monitor. However, Security Monitor processes and stores these records and provides the reporting features for network activity and usage statistics. Using Firewall MC and Security Monitor together provides a complete security solution for your firewall devices.

Checklist for Monitoring Firewall Devices Using Security Monitor

Auditing the flow of traffic across your firewall devices enables two other features, notifications and network activity reporting. However, before you can generate notifications or network activity reports, you must specify the settings for logging and retaining audit records about events within the system or logged by a firewall device.

After you specify and save these settings, you can use Security Monitor to review customized network activity reports that present the types of audit information most useful to you. In addition, you can view activity reports in Firewall MC as part of your security policy review process. If the firewall devices is configured to allow Telnet or console administrative connections, you can also review syslog message from a console or Telnet client connected directly to a firewall device.

The following checklist outlines the steps required to understand the decision-making process and basic flow required to define your audit event monitoring and logging settings. Each step might contain several substeps; the steps and substeps should be performed in order. References to the specific procedures used to perform each step are included.

Within VMS, the Security Monitor server collects audit event streams from one or more firewall devices and combines them into audit records. Security Monitor combines these audit event streams into audit records that can be refined into more meaningful data. This data is collected and used for administrative reports about network activity.

Result: The Security Monitor server is prepared to receive all Syslog streams from the firewall devices.

For more information, see Configuring Security Monitor to Listen for Syslog Messages.

Step 2   Enable logging and specify the syslog settings that each firewall device must generate so that the selected audit events can be detected.

Before you can generate meaningful reports or notifications about the network activity of a firewall device, you must enable logging and select a facility and suitable log level. This log level must be the one that generates the syslog details required for tracking session-specific data and device-specific events that you are interested in. To select this log level, first study the audit events that you want Security Monitor to retain. Then, study the documentation provided with your firewall devices to determine the minimum log level required to generate those audit events.

Result: The firewall devices generate the correct level of syslog messages so that the audit events you are interested in can be detected by the Security Monitor server.

For more information, see the following references:

Step 3   Refine the set and frequency of audit events that the firewall devices should generate.

Four methods exist for refining the list and frequency of audit events generated by a firewall device:

Result: The firewall devices generate only those audit events and the detail that you are interested in.

For more information, see:

Step 4   Save configuration settings and publish device-specific command sets to the firewall devices.

For the changes that you made to take effect, you must generate the appropriate command sets and then publish those command sets to the necessary devices.

Result: The configuration is updated, the new command sets are published to the required devices, and the Security Monitor is listening for syslog traffic that originates from those devices.

For more information, see the following references:

Configuring Security Monitor to Listen for Syslog Messages

Firewall devices use syslog messages to communicate with Security Monitor. You do not have to add syslog devices because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.

Note   This procedure is performed from the Security Monitor GUI.

Security Monitor starts and the Home Page is displayed.

Step 2   Click the Devices tab.

Step 3   Click Add at the bottom of the Devices page.

The Select Device Type page appears, listing the types of devices Security Monitor can monitor.

Step 4   Click the PIX/FWSM radio button, then click Next.

The Enter Device Information page appears.

Step 5   In the IP Address field, enter the IP address of the firewall device interface that will publish syslog traffic to Security Monitor.

Step 6   If NAT is applied to the address, enter the NAT address in the NAT Address field.

Leave this field blank if NAT is not applied to the device address.

Step 7   In the Device Name field, enter the name of the device you are adding.

You can use alphanumeric characters and most keyboard characters in the Device Name field. Spaces, commas, periods, carats (^), vertical bars, parentheses, and pound signs are not allowed. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 8   You can enter any comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 9   Click Finish.

The page closes, and the device is added to the device list on the Devices page.

Specifying Log Settings for Firewall Devices

Syslog messages can be sent to the Security Monitor tool as well as to third-party syslog servers. To use third-party syslog servers, you must configure the logging settings associated with each firewall device on your network.To prepare a firewall device to generate the syslog messages and direct them to a specific server, you must do the following:

1. Enable logging on the firewall device.

2. Select the log facility and queue size.

3. Select the log level.

4. Identify at least one target syslog server and the protocol and port pair that it listens on.

Enabling Logging on a Firewall Device

Before a firewall device can generate syslog messages, you must enable logging for one or more interfaces. In addition to enabling logging, if you configured your firewall device in a failover pair, you can specify that the standby firewall device should generate syslog messages as well. You can enable the device to ensure that the standby unit's syslog messages stay synchronized if failover occurs. However, this option results in twice as much traffic on the syslog server.

The Logging Setup page appears.

Step 2   Determine how you want to handle logging messages, then select the appropriate check box.

Step 3   Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Logging Setup Field-Level Elements and Descriptions

Defining Syslog Facility Settings

To generate meaningful reports about the network activity of a firewall device and to monitor the security events associated with that device, you must select the appropriate logging level that generates the syslog details required to track session-specific data. Once a logging level is selected, you can to define a syslog rule that directs traffic to a 3rd-party syslog server or to Security Monitor.

Note   Syslog messages can be sent to the Security Monitor and third-party products.

Before You Begin

The Syslog page appears.

Step 2   Select the facility from the list. The facility is used by a host as the basis for filing messages. Default is LOCAL4(20).

Step 3   Select the logging level from the list. (See Syslog Field-Level Elements and Descriptions for information on logging level.)

Step 4   Select the enable attach timestamp check box to attach a timestamp to each syslog message saved.

Step 5   Enter the size of the log queue to store syslog messages on a firewall device when the syslog server is busy. Minimum is 1 message. Default is 512.

---

Note    A zero value means an unlimited number of messages can be queued (subject to available block memory). However, we do not recommend this configuration.

---

Step 6   Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Syslog Field-Level Elements and Descriptions

Directing Syslog Traffic to a Syslog Server

Before You Begin

Enable logging. See the "Enabling Logging on a Firewall Device" section.

The Syslog page appears.

Step 2   Do one of the following:

Step 3   Select the interface name from the list. The list displays all interfaces defined at the current scope.

Step 4   Enter the IP address.

Step 5   Select the protocol (UDP, TCP) by clicking the respective radio button.

Step 6   Enter the number of the port from which the firewall device sends either UDP or TCP syslog messages for the selected protocol. This must be the same port at which the syslog server listens.

Step 7   Click Next.

The Syslog summary page appears. Settings enabled during the configuration process are displayed as true in the summary page.

Step 8   Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Disabling Syslog Traffic Directed at a Syslog Server

The Syslog page appears.

Step 2   Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3   Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Refining the List of Generated Syslog Messages

After you configure a firewall device to publish syslog message, you can refine the list of syslog messages that are generated by the device. This refinement helps you to tune your security system and allows you to focus on the activities and events that you think are most important. You can tune the list of syslog messages in four ways:

Reassigning the Level of a Syslog Message

You can reassign the logging level that a syslog message is associated with. The logging level is associated with severity and helps categorize messages according to their purpose and content. This refinement helps you to ensure that you receive all messages generated by a firewall device that you think should be audited. Before the firewall device can generate any messages, you must enable logging and specify the logging level that should be generated. For more information, see Enabling Logging on a Firewall Device and Defining Syslog Facility Settings.

The Logging Setup page appears.

Step 2   Click Add.

The Enter Syslog Message page appears.

Step 3   In the Message ID field, enter the ID of the syslog message for which you want to change the logging level.

This value must match a known syslog message ID (a six-digit integer) for the selected firewall device. For a complete list of the message IDs, see the product documentation for the software version running on the firewall device.

Step 4   In the Logging Level box, select the new level that you want to use for the message.

Step 5   Verify the Enable radio button is selected, then click Next.

The Summary page appears.

Step 6   Click Finish.

The new rule appears in the Syslog Messages table.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Enabling or Disabling a Syslog Message by ID

When tuning your audit event streams, you might find that you consistently and predictably receive a syslog message that identifies known and expected behavior on your network. In such cases, you could decide to tune out the message. When you disable a syslog message, it is disabled for all traffic streams that traverse or system events that occur at the firewall device.

Likewise, the default generation state of some syslog message may be disabled. To ensure that messages are generated, you can enable them by message ID. The following procedure details how to enable or disable a syslog message by ID.

The Logging Setup page appears.

Step 2   Click Add.

The Enter Syslog Message page appears.

Step 3   In the Message ID field, enter the ID of the syslog message to enable or disable.

This value must match a known syslog message ID (a six-digit integer) for the selected firewall device. For a complete list of the message IDs, see the product documentation for the software version running on the firewall device.

Step 4   Verify that desired logging level is selected in the Logging Level box.

If you are disabling the rule, ignore this field.

Step 5   To make the change, click the Enable or Disable radio button, then click Next.

The Summary page appears.

Step 6   Click Finish.

The new status appears in Enabled column of the Syslog Messages table.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Generating Enhanced Audit Data for Firewall Rules

Each time a packet is denied by a firewall rule, the firewall device generates a syslog message identifying the ACL that denied the packet. However, you can enable the generation of additional details about each session or flow. These details include logging data about permitted packets and cumulative data about the number of times the flow was permitted or denied over a specified period of time. In addition, you can specify the level at which the ACL-based syslog message is generated.

Note   The generation of an ACL-based syslog is determined by the log level setting assigned to the interface that enforces the ACL. For example, if the interface level is set to information and the ACL-based level is set to debug, then the ACL-based syslog is not generated.

Configuring the ACL-based syslog messages is a two-step process:

1. You must enable the use of ACL syslogs, as described in the procedure.the syslog ACL option. As part of this process, you also define the threshold for how often the flow is denied before issuing a special syslog message, which can be used to evaluate the possibility of denial of service (DoS) attacks.

2. You must specify the ACL syslog setting for a specific ACE in the Firewall Rule table. For more information, see Logging Events for an ACE.

The ACL Syslog Settings page appears.

Step 2   Select the Enable ACL Syslog Settings check box.

Step 3   (optional) To specify the maximum number of concurrent deny flows that can be created before the syslog message 106101 is generated, enter a value in the Deny Flow Max field.

This value is optional. If you do not specify a value, leaving the field empty, the default value is used. The actual default value depends on the specific firewall device hardware.

Step 4   To specify the period of time used for counting the number of denied flows, enter a value in the Alert Interval field.

This value identifies the acceptable boundary for reaching the Deny Flow Max value. When the period of time expires, the counter tracking denied flows is reset. If the counter reaches the max value before the time elapses, the syslog message is generated.

Step 5   Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to specify the ACL syslog setting for firewall filter rules. For more information, see Logging Events for an ACE.

ACL Syslog Settings Field-Level Elements and Descriptions

Configuring Rate Limit Level for a FWSM

The rate limit level feature allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID. If the settings differ, syslog message ID limits are recognized. To access this feature, select Configuration > Device Settings > Logging > Rate Limit Level.

Note   Use this feature only when configuring Firewall Services Modules (FWSMs). A PIX Firewall does not recognize related commands.

The Rate Limit Level page appears.

Step 2   Select a logging level by clicking the radio button, then click Edit.

The Rate Limit for Syslog Logging Levels page for the selected logging level appears.

Step 3   Enter the maximum number of messages that should be generated for the specified period of time in the Number of Messages field. To generate an unlimited number of messages, leave the Number of Messages field blank.

Step 4   Enter the number of seconds before the counter should reset in the Time Interval (sec) field.

Step 5   Click Next.

The rate limit summary page appears. Settings enabled during configuration are displayed as true in the summary page.

Step 6   Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Rate Limit Level Field-Level Elements and Descriptions

Configuring Rate Limit of Individual Syslog Messages for FWSM devices

You can use the Rate Limit for Individual Syslog Messages feature to specify the maximum number of log messages of a particular type that should be generated within a given period of time. A limit can be specified for each logging level or syslog message ID. If the settings differ, syslog message ID limits are recognized.To access this feature, select Configuration > Device Settings > Logging > Rate Limit Message.

Note

• Use this feature only when configuring Firewall Services Modules (FWSMs). A PIX Firewall does not recognize related commands.

The Rate Limit Message page appears.

Step 2   Do one of the following:

The Individually Rate Limited Syslog Messages page appears.

The Individually Rate Limited Syslog Messages page for the selected message appears.

Step 3   Enter the identification number of the syslog message for which to configure rate limits.

Step 4   Enter the maximum number of messages to generate for the specified period of time in the Number of Messages field.

Step 5   Enter the number of seconds before the counter should reset in the Time Interval (sec) field.

Step 6   Click Next.

The rate limit message summary page appears. Settings enabled during the configuration process are displayed as true in the summary page.

Step 7   Verify the information is correct, then click Finish.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Rate Limit Message Field-Level Elements and Descriptions

Deleting a Rate Limit for an Individual Syslog Message

The Rate Limit Message page appears.

Step 2   Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3   Click OK.

The row is removed from the table, and the information is removed from the assigned firewall device configuration files when the files are deployed.

Configuring Logging Level for Device-Level Monitoring

The Logging Level feature allows you to the logging level for messages directed to Telnet sessions, the device console, and the internal buffer. To access this feature, select Configuration > Device Settings > Logging Level.

Before You Begin

You must enable logging to use this feature. See Enabling Logging on a Firewall Device.

The Logging Level page appears.

Step 2   Select logging levels for the console, Telnet, and internal buffer using the list for each. See Logging Level Field-Level Elements and Descriptions for information on console levels.

Step 3   Click Apply.

Changes are applied to the assigned firewall device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Logging Level Field-Level Elements and Descriptions

Retaining Audit Records of Administrative Events

The Maintenance option allows you to purge, or delete, records about activities and jobs that are not in progress. These records provide an audit trail that shows who performed which operations from Firewall MC.

If you have approved or discarded an activity or deployed a job, then you can purge the records generated by Firewall MC.

Note   Do not be confused between "approved activities" and the Require Activity Approval check box on the Admin > Workflow Setup page. If you do not need a formal approval, the activities are approved formally during the submit step.

You can purge records manually (Purge Now) or specify how long such records should be retained. To prevent the database from growing too large, all records older than the specified number of days are purged automatically.

All eligible activity and job records are evaluated at midnight (on the CiscoWorks Server) and when you click Purge Now. Any record that is older than the specified number of days is purged at that time. Use 0 days and Purge Now to purge all records.

Tip To purge records manually, enter temporary values on this page, then click Purge Now. Unless you click Apply, the values are not saved; instead, they are used only for this transaction.

The Maintenance page appears.

Step 2   In the Purge approved/discarded activities older than: field, enter the number of days to retain the records for approved and discarded activities, then enter a value from 0 to 2,147,483,647 days in the corresponding field. Default is 30.

Step 3   In the Purge deployed jobs older than: field, enter the number of days to retain the records for deployed jobs. Values are from 0-2,147,483,647 days. Default is 30.

Step 4   Do one of the following:

Maintenance Field-Level Elements and Descriptions

Viewing Administrative Activity Reports

From the Reports tab, you can view reports about actions that administrators have taken within an activity. The Activity report provides three types of information, which appear in separate views:

All audit records about an activity are listed in reverse order; the last action is at the top of the report area. However, actions that are undone within the same activity are not recorded. For example, in an activity, an object group is created and deleted, and the activity is approved. In this case, because the object group did not exist before or after the activity, it does not appear in the activity report. An activity report shows only the differences between the state before the activity is created and the state after the activity is approved.

For more information about the actions recorded in activity reports, see Understanding Activity Actions and States.

Use activity reports when you want to:

The Activity page appears.

Step 2   Select the activity for which you want to view a report.

Step 3   Click View. The activity report is displayed in a popup window.

Step 4   Close the window after you view its contents.

Saving Activity Reports as XML Files

Within Firewall MC, you can save an activity report as an XML file for integration into other audit management systems or processing with third-party tools. Currently, this feature is available only with administrative activity reports.

The Activity page appears.

Step 2   Select the activity report that you want to save as an XML file.

Step 3   Click Save XML.

A popup window prompts you to select the directory in which to save the file.

Step 4   In the Directory field, enter the path or click Browse to find the path.

Step 5   Click OK.

A status window tells you that the file was saved successfully.

Step 6   Close the window after you view its contents

Activity Page Columns and Descriptions