This article applies to:
- Security Reporting Center 2.0
- Security Reporting Center 2.1
- Firewall Suite 4.1x
Question:
How is the protocol determined in a Cisco Pix firewall log file?
Symptoms:
- Cisco PIX log file does not indicate which port number is the protocol.
- Cisco PIX log file does not indicate which end of the connection is the 'server'.
Causes:
Cisco PIX has an unusual log file format. The format does not indicate which end of the connection is the 'server'.
Nearly all firewalls log information in the following way.
TCP src=x.x.x.x/7777 dest=y.y.y.y/8888
It is obvious that the 'server' is at IP y.y.y.y and the protocol is port 8888. However, the firewall does not tell you which end of the connection is 'behind the firewall'. The user must configure this.
However, Cisco PIX has a different method of logging, as shown below.
TCP behind-firewall=x.x.x.x/7777 outside-firewall=y.y.y.y/8888
In PIX terms, behind-firewall is marked laddr, and outside-firewall is marked faddr. So, the Cisco PIX log file does not indicate which end of the connection is the 'server'. The log file also does not indicate which port number is the protocol. All that is known is which end is 'behind the firewall'.
Procedure:
To overcome this issue with Cisco PIX, the analysis engine of Firewall Suite and Security Reporting Center uses the following technique.
To determine the protocol, the parsing engine must make an 'educated guess', using the following algorithm.
- If
laddr port is less than 1024, use that as the protocol (implies 'incoming' traffic).
- Else, if
faddr port is less than 1024, use that as the protocol (implies 'outgoing' traffic).
- Else, check the 'Protocol List' as configured by the user.
- Else, use the
faddr port as the protocol (assume outgoing).
- This article was previously published as:
- NETIQKB13941
