Using Management Center for Firewalls 1.3 - Monitoring and Reporting [CiscoWorks Management Center for Firewalls]

Table Of Contents

Monitoring and Reporting

Checklist for Monitoring Firewall Devices Using Security Monitor

Configuring Security Monitor to Listen for Syslog Messages

Specifying Log Settings for Firewall Devices

Enabling Logging on a Firewall Device

Defining Syslog Facility Settings

Directing Syslog Traffic to a Syslog Server

Disabling Syslog Traffic Directed at a Syslog Server

Refining the List of Generated Syslog Messages

Reassigning the Level of a Syslog Message

Enabling or Disabling a Syslog Message by ID

Generating Enhanced Audit Data for Firewall Rules

Configuring Rate Limit Level for a FWSM

Configuring the Rate Limit of Individual Syslog Messages for FWSM Devices

Deleting a Rate Limit for an Individual Syslog Message

Configuring Logging Level for Device-Level Monitoring

Retaining Audit Records of Administrative Events

Viewing Administrative Activity Reports

Saving Activity Reports as XML Files

Monitoring and Reporting

The monitoring and reporting functions are based on the ability to generate and review audit events. When using Firewall MC, you must consider two types of events:

•Administrative—By recording the configuration changes made within Firewall MC and tying those records to a username and activity, you can provide a clear security audit trail. Specifically, Firewall MC generates and retains the administrative audit records. You can view activity reports using Firewall MC, manually export them as XML files, and specify how long such audit records should be retained.

•Network activity—Auditing the flow of traffic across your firewall devices enables network activity reporting. These audit records enable you to understand your network usage and the adherence of your network users to the enforced security policy. However, before you can view the events in Event Viewer or generate network activity reports, you must specify the settings for logging and retaining audit records about events within the system or logged by a firewall device. After you specify and save these settings, you can receive customized network activity reports that present the types of audit information most useful to you.

Firewall MC provides part of the full audit functionality provided by VMS. Although it completely addresses administrative events, Firewall MC relies on Security Monitor to collect, retain, and categorize the network activity records. Firewall MC configures the devices to generate and publish the audit records, in the form of syslog records, to Security Monitor. Security Monitor processes and stores these records and provides the reporting features for network activity and usage statistics. Using Firewall MC and Security Monitor together provides a complete security solution for your firewall devices.

Topics to be discussed are:

• Checklist for Monitoring Firewall Devices Using Security Monitor

• Configuring Security Monitor to Listen for Syslog Messages

• Specifying Log Settings for Firewall Devices

• Refining the List of Generated Syslog Messages

• Configuring Logging Level for Device-Level Monitoring

• Retaining Audit Records of Administrative Events

• Viewing Administrative Activity Reports

Checklist for Monitoring Firewall Devices Using Security Monitor

Auditing the flow of traffic across your firewall devices enables two other features, notifications and network activity reporting. However, before you can generate notifications or network activity reports, you must specify the settings for logging and retaining audit records about events within the system or logged by a firewall device.

After you specify and save these settings, you can use Security Monitor to review customized network activity reports that present the types of audit information most useful to you. In addition, you can view activity reports in Firewall MC as part of your security policy review process. If the firewall devices is configured to allow Telnet or console administrative connections, you can also review syslog message from a console or Telnet client connected directly to a firewall device.

The following checklist outlines the tasks required for you to understand the decision-making process and basic flow required to define your audit event monitoring and logging settings. Each task might contain several steps; the tasks and steps should be performed in order. References to the specific procedures used to perform each task are included.

Task

1. Configure the Security Monitor to monitor the syslog stream of each firewall device.

The Security Monitor server in the VMS bundle collects audit-event streams from one or more firewall devices and combines them into audit records. Security Monitor combines these audit-event streams into audit records that can be refined into more meaningful data. The data is collected and used for administrative reports about network activity.

After you complete this task, the Security Monitor server is ready to receive all Syslog streams from the firewall devices.

For more information, see Configuring Security Monitor to Listen for Syslog Messages.

2. Enable logging and specify the syslog settings that each firewall device must generate so that the selected audit events can be detected.

Before you can generate meaningful reports or notifications about the network activity of a firewall device, you must enable logging and select a facility and a suitable log level. This log level must be the one that generates the syslog details required for tracking session-specific data and device-specific events that you are interested in. Before you select this log level, study the audit events that you want Security Monitor to retain. Then, study the documentation for your firewall devices to determine the minimum log level required to generate those audit events.

After you complete this task, the firewall devices generate the correct level of syslog messages so that the Security Monitor sever can detect the audit events in which you have an interest.

For more information, see:

• Specifying Log Settings for Firewall Devices.

• Enabling Logging on a Firewall Device.

• Defining Syslog Facility Settings.

• Directing Syslog Traffic to a Syslog Server.

3. Refine the set and frequency of audit events that the firewall devices should generate.

Four methods exist for refining the list and frequency of audit events generated by a firewall device:

•Reclassifying messages—For a specific syslog message ID, you can define a rule that overrides the message's default log level.

•Disabling messages—For a specific syslog message ID, you can define a rule that disables the generation of that message by a firewall device.

•Setting syslog by ACL—You can require that a firewall device generate a syslog message when an ACL is applied to a session request. This level of detail enables you to study statistics about ACL use, such as thresholds about the number of deny sessions allowed.

•Defining Thresholds—For a specific log level, you can specify threshold values for generating a syslog message.

After you complete this task, the firewall devices generate only those audit events and the detail that you are interested in.

For more information, see:

• Refining the List of Generated Syslog Messages.

• Reassigning the Level of a Syslog Message.

• Enabling or Disabling a Syslog Message by ID.

• Generating Enhanced Audit Data for Firewall Rules.

• Configuring Rate Limit Level for a FWSM.

• Configuring the Rate Limit of Individual Syslog Messages for FWSM Devices.

4. Save configuration settings and publish device-specific command sets to the firewall devices.

For your changes to take effect, you must generate the appropriate command sets, then deploy them to the necessary devices.

After you complete this task, the configuration is updated, the new command sets are deployed to the required devices, and the Security Monitor is listening for syslog traffic that originates from those devices.

For more information, see:

• Generating and Verifying Configuration Files.

• Deploying Configuration Files.

Configuring Security Monitor to Listen for Syslog Messages

Firewall devices use syslog messages to communicate with Security Monitor. You do not have to add syslog devices because Security Monitor monitors all syslog traffic on the UDP port. However, if you want the syslog device name to appear in reports (instead of the device IP address), add the device configuration to Security Monitor.

Note This procedure is performed from the Security Monitor GUI.

Step 1 From the CiscoWorks Server desktop, select the VPN/Security Management Solution > Monitoring Center > Security Monitor.

Security Monitor starts and the Home Page is displayed.

Step 2 Click the Devices tab.

The Devices page appears.

Step 3 Click Add.

The Select Device Type page appears, listing the types of devices Security Monitor can monitor.

Step 4 Click the PIX/FWSM radio button, then click Next.

The Enter Device Information page appears.

Step 5 Enter the IP address of the firewall device interface that will publish syslog traffic to Security Monitor.

Step 6 If NAT is applied to the address, enter the NAT address.

Leave this field blank if NAT is not applied to the device address.

Step 7 Enter the name of the device you are adding.

You can use alphanumeric (U.S. English) characters and most keyboard characters in the Device Name field; however, spaces, commas (,), periods (.), carats (^), vertical bars (|), parentheses (()), and pound signs (#) are not allowed. Security Monitor performs error checking and notifies you if the device name contains special characters that are not allowed.

Step 8 Enter an optional comment about the device in the Description field. The comment cannot exceed 512 characters.

Step 9 Click Finish.

You return to the Devices page. The new device is added to the device list.

Specifying Log Settings for Firewall Devices

Syslog messages can be sent to the Security Monitor tool as well as to third-party syslog servers. To use third-party syslog servers, you must configure the logging settings associated with each firewall device on your network.To prepare a firewall device to generate the syslog messages and direct them to a specific server, you must:

1. Enable logging on the firewall device.

2. Select the log facility and queue size.

3. Select the log level.

4. Identify at least one target syslog server and the protocol and port pair that it listens on.

Enabling Logging on a Firewall Device

Before a firewall device can generate syslog messages, you must enable logging for one or more interfaces. In addition, if you configured your firewall device in a failover pair, you can specify the standby firewall device to generate syslog messages as well. You can enable the device to ensure that the standby unit's syslog messages stay synchronized if failover occurs. However, this option results in twice as much traffic on the syslog server.

Step 1 Select Configuration > Device Settings > Logging > Logging Setup.

The Logging Setup page appears.

Step 2 Determine how to handle logging messages, then select the appropriate check box:

•Enable logging setup—When selected, enables the transmission of syslog messages to all output locations.

•Enable logging failover—When selected, enables the logging message to be sent to a syslog server when failover occurs. To enable this option, you must also select the Enable logging setup check box.

Step 3 Click Apply.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Step 4 Configure the syslog message. Do one of the following:

•To add a row, click Add.

•To edit a row, select the appropriate check box, then click Edit.

Step 5 Enter the message ID, which identifies the ID of the message for which you want to change the log level.

This value must match a known syslog message ID (a six-digit integer) for the selected firewall device. For a complete list of the message IDs, see the product documentation for the software version on the firewall device.

Step 6 Select the logging level from the list.

Step 7 To enable or disable the syslog message for the firewall device, click the appropriate radio button.

Step 8 Click OK.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 16-1 describes the elements on the Logging Setup page.

Table 16-1 Logging Setup

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable logging setup check box

When selected, enables transmission of syslog messages to all output locations.

Enable logging failover check box

When selected, enables logging message to be sent to syslog server when failover occurs.

Message ID

Identifies the ID of the message for which you want to change the log level.

Logging Level

Identifies the log level at which the select syslog message is generated. See Table 16-3 for logging levels and descriptions.

Note Default assumes the level assigned by the firewall device.

Enable and Disable

Specifies whether the syslog message is enabled or disabled for the firewall device.

Defining Syslog Facility Settings

To generate meaningful reports about the network activity of a firewall device and to monitor the security events associated with that device, you must select the appropriate logging level. The logging level generates the syslog details required to track session-specific data. After you select a logging level, you can define a syslog rule that directs traffic to a third-party syslog server or Security Monitor.

Note Syslog messages can be sent to Security Monitor and third-party products.

Before You Begin

Enable logging. See Enabling Logging on a Firewall Device.

Step 1 Select Configuration > Device Settings > Logging > Syslog.

The Syslog page appears.

Step 2 Select the facility from the list. The facility is used by a host as the basis for filing messages. Default is LOCAL4(20).

Step 3 Select the logging level from the list. (See Table 16-3 for logging levels and descriptions.)

Step 4 Select the Enable attach timestamp check box to attach a timestamp to each saved syslog message.

Step 5 Enter the size of the log queue to store syslog messages on a firewall device when the syslog server is busy. Minimum is 1 message. Default is 512.

Note A zero value means an unlimited number of messages can be queued (subject to available block memory). However, we do not recommend this configuration.

Step 6 Select the Enable Syslog Device ID check box.

Step 7 Determine which syslog device ID type to use, then click the appropriate radio button.

•If you selected Interface Name as your ID type, select the interface from the list. The list contains all interfaces defined at the current scope.

•If you selected User-Defined ID as your ID type, enter a meaningful ID in the field provided.

Step 8 Click Apply.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Step 9 Configure a syslog rule in the table. Do one of the following:

•To add a row, click Add.

•To edit a row, select the appropriate check box, then click Edit.

Step 10 Select the interface from the list.

Step 11 Enter the IP address of the syslog server.

Step 12 Determine whether to use UDP or TCP, then click the appropriate radio button.

Step 13 Enter the port from which the firewall device sends either UDP or TCP syslog messages. The port must be the same port at which the syslog server listens.

•TCP—1470 (Default). TCP ports work only with a firewall device syslog server.

•UDP—514 (Default).

Step 14 Select the Log Messages in Cisco EMBLEM Format (UDP only) check box to log messages to a syslog server in Cisco EMBLEM format. EMBLEM syslog format is designed to be consistent with the Cisco IOS format and is more compatible with CiscoWorks management applications.

Step 15 Click OK.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 16-2 describes the elements on the Syslog page.

Table 16-2 Syslog

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Facility

Syslog facility used by host as basis for filing messages. Values range between 16 and 23. Default is LOCAL4(20), which is what most UNIX systems expect. List presents values that enable you to identify syslog facility for selected firewall device. This value is included in any syslog messages generated by this firewall device.

Syslog facility is useful when you have a central syslog monitoring system that needs to distinguish among the various network devices that generate syslog data streams.

Note Because your network devices share the eight available facilities, you must change this value for syslog.

Level

List of logging messages to be sent to syslog servers. This setting directly affects the level of reports you can generate about network activity for a firewall device. We recommend that you select Information or Debugging to ensure that all report data is available.

See Table 16-3 for logging levels and descriptions.

Note The logging levels generated by the firewall device are an ordered list of recorded events; each subsequent logging level option includes all events generated by the previous logging level.

Enable Attach Timestamp check box

When selected, attaches timestamp to each saved syslog message.

Enable Syslog Device ID check box

When selected, attaches the specified device ID to each saved syslog message. You can specify the device ID as one of the following:

•Hostname—Name of the selected node in the Object Selector.

•Interface name—Name of the interface that generated the syslog message. These names are defined on the Interfaces page.

•User-Defined ID—Unique name defined on the Syslog page that represents the device.

Log Queue Size
(0 = unlimited)

Specifies the size of the queue for storing syslog messages on firewall device when syslog server is busy. Minimum is 1 message. Default is 512.

Note A zero value means an unlimited number of messages can be queued (subject to available block memory).

Interface Name

Logical name of interface that accesses syslog server, for example, inside or outside.

Note If you are using a popup wizard, a list displays all interfaces defined at the current scope.

IP Address

Displays IP address of syslog server.

Protocol

Displays protocol used by syslog server.

•TCP

•UDP (Default)

Port

Port from which firewall device sends either UDP or TCP syslog messages. Must be the same port at which syslog server listens.

•TCP—1470 (Default). TCP ports work only with firewall device syslog server.

•UDP—514 (Default).

Table 16-3 describes logging levels.

Table 16-3 Logging Levels

Logging Level

Type

Description

0

Emergency

System unusable. Generates messages that identify system instabilities.

1

Alerts

Immediate action needed. Generates messages that identify system integrity issues that require immediate administrative action.

2

Critical

Critical condition. Generates messages that identify critical system issues.

3

Errors

Error condition. Generates messages that identify system errors during operation.

4

Warnings

Warning condition. Generates messages that identify system warnings, for example, device might be configured incorrectly.

5

Notifications

Normal but significant condition. Generates messages that identify normal operations that are typically considered significant events.

6

Information

Informational only. Generates messages that identify system information that is typical of day-to-day activity, such as network session records.

7

Debugging

Generates syslog messages that assist you in debugging. Also generates logs that identify the commands issued during FTP sessions and the URLs requested during HTTP sessions. Includes all emergency, alert, critical, error, warning, notification, and information messages.

-

Disabled

No logging.

Directing Syslog Traffic to a Syslog Server

By directing syslog records generated by a firewall device to a syslog server such as Security Monitor, you can process and study the records.

Before You Begin

Enable logging. See the Enabling Logging on a Firewall Device.

Step 1 Select Configuration > Device Settings > Logging > Syslog.

The Syslog page appears.

Step 2 Do one of the following:

•To add a row, click Add.

•To edit a row, select the check box for the row, then click Edit.

Step 3 Select the interface name from the list. The list displays all interfaces defined at the current scope.

Step 4 Enter the IP address of the syslog server.

Step 5 Determine whether to use UDP or TCP, then click the appropriate radio button.

Step 6 Enter the port from which the firewall device sends either UDP or TCP syslog messages. The port must be the same port at which the syslog server listens.

•TCP—1470 (Default). TCP ports work only with a firewall device syslog server.

•UDP—514 (Default).

Step 7 Click OK.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

See Table 16-2 for a description of the elements on the Syslog page.

Disabling Syslog Traffic Directed at a Syslog Server

Syslog servers typically listen for all syslog-based events arriving on a specific port. Thus, the best way to ensure that your syslog server is not processing unnecessary records is to prevent a firewall device from ever sending the events.

Step 1 Select Configuration > Device Settings > Logging > Syslog.

The Syslog page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall-device configuration files when the files are deployed.

See Table 16-2 for a description of the elements on the Syslog page.

Refining the List of Generated Syslog Messages

After you configure a firewall device to publish syslog messages, you can refine the list of syslog messages that the device generates. This refinement helps you to tune your security system and allows you to focus on the activities and events that you think are most important. You can tune the list of syslog messages in four ways:

•Refine the list of messages to prioritize their category as you think necessary.

•Disable syslog messages about expected or recurring activities on your network.

•Refine audit events about network activity as it relates to your security policy by enabling logging on a per-ACL basis.

•Define threshold values for how often a syslog message should be generated in response to the occurrence of a specific event.

Reassigning the Level of a Syslog Message

You can reassign the logging level with which a syslog message is associated. The logging level is associated with severity and helps categorize messages according to their purpose and content. This refinement helps you to ensure that you receive all messages generated by a firewall device that you think should be audited. Before the firewall device can generate any messages, you must enable logging and specify the logging level that should be generated. For more information, see Enabling Logging on a Firewall Device, and Defining Syslog Facility Settings.

Step 1 Select Configuration > Device Settings > Logging > Logging Setup.

The Logging Setup page appears.

Step 2 Determine how to handle logging messages, then select the appropriate check box:

•Enable logging setup—When selected, enables the transmission of syslog messages to all output locations.

•Enable logging failover—When selected, enables the logging message to be sent to a syslog server when failover occurs. To enable this option, you must also select the Enable logging setup check box.

Step 3 Click Apply.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Step 4 Configure the syslog message. Do one of the following:

•To add a row, click Add.

•To edit a row, select the appropriate check box, then click Edit.

Step 5 Enter the message ID, which identifies the ID of the message for which you want to change the log level.

This value must match a known syslog message ID (a six-digit integer) for the selected firewall device. For a complete list of the message IDs, see the product documentation for the software version running on the firewall device.

Step 6 Select the logging level from the list. See Table 16-3 for logging levels and descriptions.

Step 7 To enable or disable the syslog message for the firewall device, click the appropriate radio button.

Step 8 Click OK.

The new status appears in the Enabled column in the Syslog Messages table. Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

See Table 16-1 for a description of the elements on the Logging Setup page.

Enabling or Disabling a Syslog Message by ID

When tuning your audit-event streams, you might find that you consistently and predictably receive a syslog message that identifies known and expected behavior on your network. In such cases, you could decide to tune out the message. When you disable a syslog message, it is disabled for all traffic streams that traverse or system events that occur at the firewall device.

In the same way, the default generation state of some syslog message might be disabled. To ensure that messages are generated, enable them by message ID. The following procedure tells how to enable or disable a syslog message by ID.

Step 1 Select Configuration > Device Settings > Logging > Logging Setup.

The Logging Setup page appears.

Step 2 Do one of the following:

•To add a row, click Add.

•To edit a row, select the appropriate check box, then click Edit.

Step 3 Enter the message ID, which identifies the ID of the message for which you want to change the log level.

This value must match a known syslog message ID (a six-digit integer) for the selected firewall device. For a complete list of the message IDs, see the product documentation for the software version running on the firewall device.

Step 4 Select the logging level from the list. See Table 16-3 for logging levels and descriptions.

If you are disabling the rule, ignore this field.

Step 5 To enable or disable the syslog message for the firewall device, click the appropriate radio button.

Step 6 Click OK.

The new status appears in the Enabled column of the Syslog Messages table. Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

See Table 16-1 for a description of the elements on the Logging Setup page.

Generating Enhanced Audit Data for Firewall Rules

Each time a packet is denied by a firewall rule, the firewall device generates a syslog message identifying the ACL that denied the packet. However, you can enable the generation of additional details about each session or flow. These details include logging data about permitted packets and cumulative data about the number of times the flow was permitted or denied over a specified period of time. In addition, you can specify the level at which the ACL-based syslog message is generated.

Note The generation of an ACL-based syslog is determined by the log level setting assigned to the interface that enforces the ACL. For example, if the interface level is set to information and the ACL-based level is set to debug, then the ACL-based syslog is not generated.

Configuring the ACL-based syslog messages is a two-step process:

1. You must enable the use of ACL syslogs as described in the procedure. As part of this process, you also define the threshold for how often the flow is denied before issuing a special syslog message, which can be used to evaluate the possibility of denial of service (DoS) attacks.

2. You must specify the ACL syslog setting for a specific ACE in the Firewall Rule table. For more information, see Logging Events for an ACE, page 11-16.

Step 1 Select Configuration > Device Settings > Logging > ACL Syslog.

The ACL Syslog Settings page appears.

Step 2 Select the Enable ACL Syslog Settings check box.

Step 3 (Optional) To specify the maximum number of concurrent deny flows that can be created before the syslog message 106101 is generated, enter a value in the Deny Flow Max field.

If you do not specify a value, the default is used. The default depends on the specific firewall device hardware.

Step 4 To specify the period of time used for counting the number of denied flows, enter a value in the Alert Interval field.

This value identifies the acceptable boundary for reaching the Deny Flow Max value. When the time ends, the counter tracking denied flows is reset. If the counter reaches the maximum value before the time elapses, the syslog message is generated.

Step 5 Click Apply.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

You are now ready to specify the ACL syslog setting for firewall filter rules. For more information, see Logging Events for an ACE, page 11-16.

Table 16-4 describes the elements on the ACL Syslog Settings page.

Table 16-4 ACL Syslog Settings

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable ACL Syslog Settings check box

When selected, the firewall device can provide additional information as part the syslog messages generated when an ACL is triggered.

Deny Flow Max

Specifies the maximum number of concurrent deny flows that can be created. (Syslog message 106101 is generated when the firewall has reached the maximum number, n, of ACL deny flows.)

For a firewall with more than 64 MB of Flash memory, the value can be from 1-4096, with a default of 4096. For a firewall with more than 16 MB of Flash memory, the value can be from 1-1024, with a default of 1024. For a firewall with less than or equal to 16 MB of Flash memory, the value can be from 1-256, with a default of 256.

Alert Interval

Specifies the interval of time, from 1-3600 seconds, for generating syslog message 106101, which alerts you that the firewall has reached a deny flow maximum. When the deny flow maximum is reached, another 106101 message is generated if the specified number of seconds has passed since the last 106101 message.

If you do not specify this option, the default is 300 seconds.

Configuring Rate Limit Level for a FWSM

The rate limit level feature allows you to specify the maximum number of log messages of a particular type (for example, alert or critical) that should be generated within a given period of time. You can specify a limit for each logging level or syslog message ID. If the settings differ, syslog message ID limits are recognized. To access this feature, select Configuration > Device Settings > Logging > Rate Limit Level.

Note Use this feature only when configuring Firewall Services Modules (FWSMs). A PIX Firewall does not recognize related commands.

Before You Begin

See if the Enforce/Mandate settings for children check box is grayed out. If yes, you cannot make any changes to the rate limit level.

Step 1 Select Configuration > Device Settings > Logging > Rate Limit Level.

The Rate Limit Level page appears.

Step 2 Click the Enable Rate Limit check box, then click Apply.

Step 3 To select a logging level, click the appropriate radio button, then click Edit.

Note If you are changing the values, you must deselect the Inherit Settings check box before you can enter changes.

Step 4 Enter the maximum number of messages that should be generated for the specified period of time. To generate an unlimited number of messages, leave the Number of Messages field blank.

Step 5 Enter the number of seconds before the counter should reset in the Time Interval (sec) field.

Step 6 Click OK.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 16-5 describes the elements on the Rate Limit Level page.

Table 16-5 Rate Limit Level

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enable Rate Limit check box

When selected, enables the FWSM to begin limiting the number of messages of a given type that are being generated for a given period of time.

Logging Level

The syslog logging level for which you are specifying the rate limit.

Number of Messages

Number of messages of the specified type allowed in the specified time period.

Time (seconds)

Number of seconds before the rate limit counter resets.

Configuring the Rate Limit of Individual Syslog Messages for FWSM Devices

You can use the Rate Limit for Individual Syslog Messages feature to specify the maximum number of log messages of a particular type that should be generated within a given period of time. A limit can be specified for each logging level or syslog message ID. If the settings differ, syslog message ID limits are recognized.To access this feature, select Configuration > Device Settings > Logging > Rate Limit Message.

Note•Use this feature only when configuring Firewall Services Modules (FWSMs). A PIX Firewall does not recognize related commands.

•Rate limit message settings override rate limit level settings.

Before You Begin

See if the Enforce/Mandate settings for children check box is grayed out. If yes, you cannot make any changes to the rate limit message.

Step 1 Select Configuration > Device Settings > Logging > Rate Limit Message.

The Rate Limit Message page appears.

Note If you are changing the values, you must deselect the Inherit Settings check box before you can enter changes.

Step 2 Do one of the following:

•To add a rate limit for a syslog message, click Add.

•To edit a rate limit for a syslog message, click the check box for the message, then click Edit.

Step 3 Enter the identification number of the syslog message for which to configure rate limits.

Step 4 Enter the maximum number of messages to generate for the specified period of time.

Step 5 Enter the number of seconds before the counter should reset in the Time Interval (sec) field.

Step 6 Click OK.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 16-6 describes the elements on the Rate Limit Message page.

Table 16-6 Rate Limit Message

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

(Syslog) Message ID

Identification number of the syslog message for which you are specifying a rate limit.

Number of Messages

Number of messages of the specified type allowed in the specified time period.

Time (seconds)

Number of seconds before the rate limit counter resets.

Deleting a Rate Limit for an Individual Syslog Message

Step 1 Select Configuration > Device Settings > Logging > Rate Limit Message.

The Rate Limit Message page appears.

Step 2 Select the check box for the row, then click Delete.

You are prompted to confirm the delete request.

Step 3 Click OK.

The row is removed from the table, and the information is removed from the assigned firewall-device configuration files when the files are deployed.

Configuring Logging Level for Device-Level Monitoring

The Logging Level feature allows you to specify the logging level for messages directed to Telnet sessions, the device console, and the internal buffer.

Before You Begin

•See if the Enforce/Mandate settings for children check box is grayed out. If yes, you cannot make any changes to the rate limit message.

•You must enable logging to use this feature. See Enabling Logging on a Firewall Device.

Step 1 Select Configuration > Device Settings > Logging > Logging Level.

The Logging Level page appears.

Step 2 Select logging levels for the console, Telnet, and internal buffer from each list. See Table 16-3 for logging levels and descriptions.

Step 3 Click Apply.

Changes are applied to the assigned firewall-device configuration files when the files are generated. The configuration files are then downloaded to the firewall devices at deployment.

Table 16-7 describes the elements on the Logging Level page.

Table 16-7 Logging Level

Element

Description

Inherit settings check box

When selected, the subgroup or devices inherit the settings of the enclosing group to current scope. To override a default setting, deselect the check box and specify other values. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Enforce/Mandate settings for children check box

When selected, settings are at a group level and are inherited by the enclosed subgroups and devices. Mandatory settings cannot be changed by a subgroup or device. See What Is Inheritance?.

Note A grayed-out check box disallows changes at the current scope.

Console Level list

List of logging messages used. See Table 16-3 for logging levels and their descriptions.

Note The logging levels generated by the firewall device are an ordered list of recorded events; each following logging level option includes all events generated by the previous logging level.

Telnet Level list

Logging level used to send syslog messages to all Telnet sessions connected to firewall device. See Table 16-3 for logging levels and descriptions.

Internal Buffer Level list

Logging level used to send syslog messages to internal buffer for later review. See Table 16-3 for logging levels and descriptions.

Retaining Audit Records of Administrative Events

The Maintenance option allows you to purge, or delete, records about activities and jobs that are not in progress. These records provide an audit trail that shows who performed which operations from Firewall MC.

If you have approved or discarded an activity or deployed a job, then you can purge the records generated by Firewall MC.

Note Do not be confused between "approved activities" and the Require Activity Approval check box on the Admin > Workflow Setup page. If you do not need a formal approval, the activities are approved formally during the submit step.

You can purge records manually (Purge Now) or specify how long such records should be retained. To prevent the database from growing too large, all records older than the specified number of days are purged automatically.

All eligible activity and job records are evaluated at midnight (on the CiscoWorks Server) and when you click Purge Now. Any record that is older than the specified number of days is purged at that time. Use 0 days and Purge Now to purge all records.

Tip To purge records manually, enter temporary values on this page, then click Purge Now. Unless you click Apply, the values are not saved; instead, they are used only for this transaction.

Step 1 Select Admin > Maintenance.

The Maintenance page appears.

Step 2 In the Purge approved/discarded activities older than: field, enter the number of days to retain the records for approved and discarded activities. Enter a value from 0 to 2,147,483,647 days in the corresponding field. Default is 30.

Step 3 In the Purge deployed jobs older than: field, enter the number of days to retain the records for deployed jobs. Values are from 0-2,147,483,647 days. Default is 30.

Step 4 Do one of the following:

•To immediately purge records older than values you entered, click Purge Now.

•To save these values and use them to evaluate records every day at midnight, click Apply.

Table 16-8 describes the elements on the Maintenance page.

Table 16-8 Maintenance

Element

Description

Purge approved/discarded activities older than: days

Number of days to retain activity lists in the database. Minimum is 0 days; maximum is 2,147,483,647 days. Default is 30.

Purge deployed jobs older than: days

Number of days to retain job lists in the database. Minimum is 0 days; maximum is 2,147,483,647 days. Default is 30.

Purge Now button

Clicking Purge Now immediately purges any records older than the values specified.

Viewing Administrative Activity Reports

From the Reports tab, you can view reports about actions that administrators have taken within an activity. The Activity report provides three types of information, which appear in separate views:

•Basic Information—Activity name and any comments from the person who created the activity.

•State Changes—A history table that shows the date and time that the action occurred, the action that occurred, and who performed the action. It also contains any comments entered during the activity. For example, one user imported a configuration on 1/Jan/2003 19:09:17 CST, and another user submitted the activity for approval on 3/Jan/2003 17:13:15 CST.

•Policy Changes—A two-level menu structure view that shows which actions were taken and what devices and groups were acted upon. It also identifies the policy changes made as part of that activity; For example, under Devices > Importing Devices, a new device named FirewallX was added to the Global > RegionA > FWSM group, two new groups were defined, and a new device was imported to a specific group as shown:
Devices > Importing Devices 
       Device Added: Global > RegionA > FWSM > FirewallX 
All audit records about an activity are listed in reverse order; the last action is at the top of the report area. However, actions that are undone within the same activity are not recorded. For example, in an activity, an object group is created and deleted, and the activity is approved. In this case, because the object group did not exist before or after the activity, it does not appear in the activity report. An activity report shows only the differences between the state before the activity is created and the state after the activity is approved.

For more information about the actions recorded in activity reports, see Understanding Activity Actions.

Use activity reports when you want to:

•Review the changes made as part of the activity.

•Review the changes made to an activity before you submit the activity for approval.

•Review the changes made before you submit the activity for job deployment.

Step 1 Select Reports > Activity.

The Activity page appears.

Step 2 Select the activity for which you want to view a report, then click View.

The activity report is displayed in a popup window.

Step 3 Close the window after you view its contents.

Table 16-9 describes the elements on the Activity page.

Table 16-9 Activity

Element

Description

Activity

Name of activity.

Last Action Date

Date last action occurred on the activity.

Current State

State of activity, for example, Edit_Open.

Note To review activity states, see Understanding Activity Actions.

Who

Name of user who performed last action on activity.

Last Action Comments

Comments assigned to last action performed on activity.

View button

Displays the activity report in a secondary window in a simplified HTML format.

Save XML button

Allows you to save the activity report as an XML file for future evaluation or archival purposes.

Saving Activity Reports as XML Files

Within Firewall MC, you can save an activity report as an XML file for integration into other audit management systems or processing with third-party tools. Currently, this feature is available only with administrative activity reports.

Step 1 Select Reports > Activity.

The Activity page appears.

Step 2 Select the activity report that to save as an XML file.

Step 3 Click Save XML.

A popup window prompts you to select the directory in which to save the file.

Step 4 In the Directory field, enter the path or click Browse to find the path.

Step 5 Click OK.

A status window tells you that the file was saved successfully.

Step 6 Close the window after you view its contents.

See Table 16-9 for a description of the elements on the Activity page.