Firewall and NAT
attack logs provide information on the source IP address, destination IP
address, protocol, or attack type for any packet dropped due to an attack.
Prior to this release, when an attack happened, the logs did not carry any
information about the ports.
With this feature,
the port information of the dropped packet is included in the logs. The port
information such as source port and destination port are important while
configuring access rules to allow or block certain traffic.
Following are some
important points to be considered:
attack logs are at INFO/DEBUG level. At this level, there are too many logs
generated even for normal traffic. Hence, to segregate the attack logs, the
attack logs are moved to the WARNING level.
Firewall and NAT
attack logs are moved to WARNING level from Info/Debug level. The source port
and destination port are logged as part of Firewall/NAT attack logs.
Both IPv4 and
IPv6 traffic is supported.
The source port
and destination port are valid for TCP/UDP protocols. However, for other
protocols, the ports are logged as zero.
Earlier, the attack logs did not carry any port information and the logs were
of the type Info/Debug.
New Behavior: With this
feature, firewall and NAT attack log levels have been changed to WARNING from
INFO/DEBUG for event IDs 96188, 96995, 96186,96185, 96159, and 96203. Source
port and destination port information are now displayed in the attack logs.
Impact on Customer: The
attack logs are per packet logs seen at WARNING level. If you enable WARNING
and above logs for Firewall (NAT) facility, and when there is an attack, log
rate is very high.