10.8 Context-Based Access Control
10.8.9 Monitoring and maintaining CBAC
You can watch for network attacks and investigate network problems using system messages and debug commands.

Interpreting Syslog and Console Messages Generated by CBAC

CBAC provides syslog messages, console alert messages, and audit-trail messages. These messages are useful because they can alert you to network attacks, and because they provide an audit trail that provides details about sessions inspected by CBAC. Audit-trail and alert information is configurable on a per-application basis using the CBAC inspection rules.

The following types of messages can be generated by CBAC:

Denial-of-Service Messages

CBAC detects and blocks DoS attacks and notifies you when DoS attacks occur. Error messages such as the following may indicate that DoS attacks have occurred:

%FW-4-ALERT_ON: getting aggressive, count (550/500) current 1-min rate: 250
%FW-4-ALERT_OFF: calming down, count (0/400) current 1-min rate: 0

When %FW-4-ALERT_ON and %FW-4-ALERT_OFF error messages appear together, each "aggressive/calming" pair of messages indicates a separate attack. The previous example shows one separate attack.
Error messages such as the following may indicate that a DoS attack has occurred on a specific TCP host:

%FW-4-HOST_TCP_ALERT_ON: Max tcp half-open connections (50) exceeded for host 172.21.127.242.
%FW-4-BLOCK_HOST: Blocking new TCP connections to host 172.21.127.242 for 2 minutes (half-open count 50 exceeded)
%FW-4-UNBLOCK_HOST: New TCP connections to host 172.21.127.242 no longer blocked

SMTP Messages

CBAC detects and blocks SMTP attacks (illegal SMTP commands) and notifies you when SMTP attacks occur. Error messages such as the following may indicate that an SMTP attack has occurred:

%FW-4-SMTP_INVALID_COMMAND: Invalid SMTP command from initiator (192.168.12.3:52419)

Java Blocking Messages

CBAC detects and selectively blocks Java applets and notifies you when a Java applet has been blocked. Error messages such as the following may indicate that a Java applet has been blocked:

%FW-4-HTTP_JAVA_BLOCK: JAVA applet is blocked from (172.21.127.218:80) to
(172.16.57.30:44673).

FTP Messages

CBAC detects and prevents certain FTP attacks and notifies you when this occurs. Error messages such as the following may appear when CBAC detects these FTP attacks:

%FW-3-FTP_PRIV_PORT: Privileged port 1000 used in PORT command -- FTP client 10.0.0.1 FTP server 10.1.0.1
%FW-3-FTP_SESSION_NOT_AUTHENTICATED: Command issued before the session is authenticated -- FTP client 10.0.0.1
%FW-3-FTP_NON_MATCHING_IP_ADDR: Non-matching address 172.19.148.154 used in PORT
command -- FTP client 172.19.54.143 FTP server 172.16.127.242

Audit-Trail Messages

CBAC provides audit-trail messages to record details about inspected sessions. Audit-trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the responder's port number. The port number follows the responder's address. The following are sample audit-trail messages:

%FW-6-SESS_AUDIT_TRAIL: tcp session initiator (192.168.1.13:33192) sent 22 bytes -- responder (192.168.129.11:25) sent 208 bytes
%FW-6-SESS_AUDIT_TRAIL: http session initiator (172.16.57.30:44673) sent
1599 bytes -- responder (172.21.127.218:80) sent 93124 bytes

Debugging CBAC

To assist CBAC debugging, you can turn on audit-trail messages that will be displayed on the console after each CBAC session closes. Audit-trail information is configurable on a per-application basis using the CBAC inspection rules. To turn on audit-trail messages, use the global configuration command in Figure .

If required, you can also use the CBAC debug commands listed in this section. (Debugging can be turned off for each of the commands in this section by using the no form of the command. To disable all debugging, use the privileged EXEC commands no debug all or undebug all.)

The available debug commands are listed in the following categories:

  • Generic debug commands
  • Transport -level debug commands
  • Application protocol debug commands

Generic Debug Commands

You can use the following generic debug commands, entered in privileged EXEC mode in Figure .

Transport-Level Debug Commands

You can use the following transport-level debug commands, entered in privileged EXEC mode in Figure .

Application Protocol Debug Commands

You can use the following application protocol debug command, entered in privileged EXEC mode in Figure .

Figure identifies application protocol keywords for the debug ip inspect command.

Turning Off CBAC

You can turn off CBAC with the no ip inspect global configuration command.

Note: The no ip inspect command removes all CBAC configuration entries and resets all CBAC global timeouts and thresholds to the defaults. All existing sessions are deleted and their associated access lists removed.

In most situations, turning off CBAC has no negative security impact because CBAC creates "permit" access lists. Without CBAC configured, no "permit" access lists are maintained. Therefore, no derived traffic (returning traffic or traffic from the data channels) can go through the firewall. The exception is SMTP and Java blocking. With CBAC turned off, unacceptable SMTP commands or Java applets may go through the firewall.