Report data is missing when Cisco Pix log files are analyzed.


This article applies to:

  • Security Reporting Center 2.1
  • WebTrends Firewall Suite 4.1c
  • Cisco Pix

Symptoms:

  • Report data is missing when Cisco Pix log files are analyzed.

Changes Made:

The interface names have been changed from the default settings in Cisco Pix log files.

Causes:

With the introduction of Cisco Pix 6.2 the ability to change the interface names to any custom value was given to the user. If teh interface name is changed to a custom value, however, Firewall Suite and Security Reporting Center are unable to determine the activity type of the log file entry when analyzed. Specifically, there is no indication whether the log file entry is indicative of incoming or outgoing activity.

A Cisco Pix 6.2 log file sample is provided below. The bold text represents the interface name.

WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 3 for outside: 127.0.0.1/80 (64.28.67.114/80) to inside:1.1.1.1/1026(172.16.0.200/1026)
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 4 for outside:127.0.0.1/80 (64.28.67.57/80) to inside:1.1.1.1/1026 (172.16.0.200/1027)
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside :127.0.0.1/443 to outside:1.1.1.1/1026
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-302013: Built outbound TCP connection 5 for outside:127.0.0.1/443 (64.28.67.57/80) to inside:1.1.1.1/1026 (172.16.0.200/1028)
WTsyslog[2002-04-04 10:20:35 ip=10.0.0.1 pri=6] <166>%PIX-6-305011: Built dynamic TCP translation from inside:127.0.0.1/1111 to outside:1.1.1.1/1026 M

Reply:

For Firewall Suite and Security Reporting Center to analyze these new interfaces, follow the steps below:

WebTrends Firewall Suite:

  1. Click Tools | Options.

  2. Select General Firewall Activity | Cisco Pix Interfaces.

  3. Click New.

  4. Enter the name of your custom interface and click OK.

  5. Repeat steps 3-4 for every custom interface name you have defined on the firewall.

  6. Click OK to return to the main console.

Note:  If you are using the FastTrends database (enabled by default) and have already run a report against the log files, then the FastTrends database must be deleted after adding your custom interface names.  You can delete the FastTrends database by accessing Tools | FastTrends maintenance.


Security Reporting Center:

  1. Click Firewall (or Proxy) Reporting | Options.

  2. Click Cisco Pix Interfaces.

  3. Click Add New Interface.

  4. Replace the 'new interface' text with the custom interface name that you have configured.

  5. Select the type of traffic the new interface represents (inside or outside).

  6. Click Done.

  7. Repeat steps 3-6 for every custom interface name you have defined on the firewall.

  8. Click Save.

Notes:

These options are available only in Firewall Suite 4.1c and Security Reporting Center 2.1 or later. 

This article was previously published as:
NETIQKB5548

Last Modified 4/10/2006.
https://support.trustwave.com/kb/KnowledgebaseArticle10689.aspx