[fw-wiz] Not getting all our denied logs from Cisco FWSM

Jason Gervia jgervia at nc.rr.com
Wed Sep 6 22:05:35 EDT 2006

Kim Cary wrote:
> While we're slogging through the beauracracy and shell game of our  
> TAC case at Cisco, I thought I'd ask the list whether any of you have  
> seen intermittent failures to send 106100 'denied' log entries from  
> your FWSM. We're on 2.3(3). As it turns out, these entries our  
> important to our operations and we're only getting about 10% of them.
> We don't seem to be able to get around the deny-flow-max default of  
> 4096. One would think that when those flows are exceeded, you would  
> just get the messages logged, wouldn't you? Am I missing something,  
> or is the firewall just throwing these away. We don't want it to do  
> that!!
> I know Cisco is trying to not pass along a DOS here, but is there any  
> way to get them to STOP holding my hand and just send the logs?
> The really annoying thing is, we get 100% of our 'permitted' 106100,  
> so I guess if someone is DOS-ing an open port they can get our syslog  
> server 'dos-ed' too.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

That's truly annoying - Cisco makes a lot of presumptions, security 
wise, on how things 'should' work to be secure.

That being said - a quick review of the deny-flow-max says that it 
tracks those flows (4096 max) over the log interval specified in your 
access list, so really you should consider it as a deny-flow-max of 4096 
messages / 5 minutes (log interval 300), if you are using the defaults.  
In theory, you could squeeze some more 106100 messages out of your 
firewall by decreasing the log interval on your deny statements in your 
access-list - there's bound to be some dead time when the firewall is 
tracking the deny flow but no packets are hitting that flow and it's 
just taking a spot that could be cleared for tracking a different deny 
flow. I suppose, in theory, you could set the interval to 1 and get a 
deny message for almost every single packet, but I hesitate to guess 
what that would do to your firewall and your logging infrastructure.  :)

Let us know if Cisco comes up with anything for you on getting around 
the deny-flow-max of 4096. 

I hope this helps!


More information about the firewall-wizards mailing list