You
can watch for network attacks and investigate network problems using
system messages and debug commands.
Interpreting Syslog and Console Messages Generated by CBAC
CBAC provides syslog messages, console alert messages, and
audit-trail messages. These messages are useful because they can
alert you to network attacks, and because they provide an audit
trail that provides details about sessions inspected by CBAC.
Audit-trail and alert information is configurable on a
per-application basis using the CBAC inspection rules.
The following types of messages can be generated by CBAC:
Denial-of-Service Messages
CBAC detects and blocks DoS attacks and notifies you when DoS
attacks occur. Error messages such as the following may indicate
that DoS attacks have occurred:
%FW-4-ALERT_ON: getting aggressive, count (550/500) current 1-min
rate: 250
%FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0
When %FW-4-ALERT_ON and %FW-4-ALERT_OFF error messages appear
together, each "aggressive/calming" pair of messages
indicates a separate attack. The previous example shows one separate
attack.
Error messages such as the following may indicate that a DoS attack
has occurred on a specific TCP host:
%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50)
exceeded for host 172.21.127.242.
%FW-4-BLOCK_HOST: Blocking new TCP connections to host
172.21.127.242 for 2 minutes (half-open count 50 exceeded)
%FW-4-UNBLOCK_HOST: New TCP connections to host 172.21.127.242 no
longer blocked
SMTP Messages
CBAC detects and blocks SMTP attacks (illegal SMTP commands) and
notifies you when SMTP attacks occur. Error messages such as the
following may indicate that an SMTP attack has occurred:
%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator
(192.168.12.3:52419)
Java Blocking Messages
CBAC detects and selectively blocks Java applets and notifies you
when a Java applet has been blocked. Error messages such as the
following may indicate that a Java applet has been blocked:
%FW-4-HTTP_JAVA_BLOCK: JAVA applet is blocked from
(172.21.127.218:80) to
(172.16.57.30:44673).
FTP Messages
CBAC detects and prevents certain FTP attacks and notifies you
when this occurs. Error messages such as the following may appear
when CBAC detects these FTP attacks:
%FW-3-FTP_PRIV_PORT: Privileged port 1000 used in PORT command --
FTP client 10.0.0.1 FTP server 10.1.0.1
%FW-3-FTP_SESSION_NOT_AUTHENTICATED: Command issued before the
session is authenticated -- FTP client 10.0.0.1
%FW-3-FTP_NON_MATCHING_IP_ADDR: Non-matching address 172.19.148.154
used in PORT
command -- FTP client 172.19.54.143 FTP server 172.16.127.242
Audit-Trail Messages
CBAC provides audit-trail messages to record details about
inspected sessions. Audit-trail information is configurable on a
per-application basis using the CBAC inspection rules. To determine
which protocol was inspected, use the responder's port number. The
port number follows the responder's address. The following are
sample audit-trail messages:
%FW-6-SESS_AUDIT_TRAIL: tcp session initiator
(192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25)
sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: http session initiator (172.16.57.30:44673)
sent
1599 bytes -- responder (172.21.127.218:80) sent 93124 bytes
Debugging CBAC
To assist CBAC debugging, you can turn on audit-trail messages
that will be displayed on the console after each CBAC session
closes. Audit-trail information is configurable on a per-application
basis using the CBAC inspection rules. To turn on audit-trail
messages, use the global configuration command in Figure
.
If required, you can also use the
In most situations, turning off CBAC has no negative security
impact because CBAC creates "permit" access lists. Without
CBAC configured, no "permit" access lists are maintained.
Therefore, no derived traffic (returning traffic or traffic from the
data channels) can go through the firewall. The exception is SMTP
and Java blocking. With CBAC turned off, unacceptable SMTP commands
or Java applets may go through the firewall.