stop firewall if logging is not possible ...

[gnujuba]

Hi CPUsers,

maybe a bit odd, but one of our customers got the following requirement due to a security certification:

simply put: if the firewall can not send its logs to the clm it has to stop forwarding traffic.

cplogd uses tcp/257. so it should be possible to detect that logs are not delivered to the log server.

I know about the possibility to check disk space but this is not sufficient.

any ideas, experience, or maybe opsec products available? :-)

any help appreciated, regards

gnjb

[MarioL]

Not sure if you are using distributed or stand-alone, so here goes:

Stand-alone
There is an option on the firewall that allows you to stop logging when free disk space reaches a certain threshold. If you edit your firewall object it's under "Logs & Masters". Then there is another one that rejects all connections when logs can't be saved.

Distributed
The same as stand-alone but not sure what happens on the Management server. I know the firewall will log locally if it can't reach the SmartCenter server, but not sure what happens if the SmartCenter server is out of disk space.

Someone will surely clarify.

Edit: Forgot to say, there are ways to automated log rotation and archiving that will pretty much guarantee you won't run out of disk space 99% of the time, you should also use that to lower the likelihood of stopping all traffic, which wont make you popular with the business.

[gnujuba]

it is a provider-1 setup with a customer log module for each customer. When the clm is not reachable it logs to the cma.

But as I said, I as searching for a solution to stop all TRAFFIC if logging is not possible... not only logging.

btw. I know this is not really a good idea....

regards,

gnjb

[masterloo]

Quote:

Originally Posted by gnujuba

it is a provider-1 setup with a customer log module for each customer. When the clm is not reachable it logs to the cma.

But as I said, I as searching for a solution to stop all TRAFFIC if logging is not possible... not only logging.

btw. I know this is not really a good idea....

regards,

gnjb

Nice customer request, lol. log locally and forward logs not an option? Can't remember what security device I've seen this option on before, didn't see any option in CP. Any luck getting a solution on this?

Perhaps write a script that checks if src=customer_srcFW_IP to dst=clm or dst=CMA is 'established' in netstat -anop. If not established for 3 intervals say with intervals being 60 seconds then kick off a SAM rule that blocks all but control connections. If sam rules had some 'negate' feature actually might not be to bad, otherwise i'm not sure off hand.

GL,
Ryan

[gnujuba]

yeah, nice feature request ... :-) it came from a security certification.

we were thinking about a script that checks the log tcp session as well but luckily the certification guy did not really made us go that far.

but it is indeed possible through the gui - there is such an option: "reject all connections when logs are not safed" - see screen shot.

I looked at the log options for years but never really saw that option ?-)

regards,

gnjb

[mcnallym]

That option is only for local logging so what would get is

It wil attempt to log to the Log Server.
If the Log Server is lost then will start to log locally
If the Log Server disk is full then will stop logging and start locally
If the Local Log cannot be logged then reject the connections

If the local disk is full then the firewall caves over anyway.

[sanjay388]

Hi All

Could you please assist me on below mentioned log " what does mean of UNKNOWN

ae2c1:i[48]: 10.63.10.12 -> 10.65.48.16 (TCP) len=48 id=3492
TCP: 4357 -> 19353 .S.... seq=47fcf814 ack=00000000
ae2c1:I[48]: 10.63.10.12 -> 10.65.48.16 (TCP) len=48 id=3492
TCP: 4357 -> 19353 .S.... seq=47fcf814 ack=00000000
UNKNOWN:o[48]: 10.63.10.12 -> 10.65.48.16 (TCP) len=48 id=3492
TCP: 4357 -> 19353 .S.... seq=47fcf814 ack=00000000
UNKNOWN:O[48]: 10.63.10.12 -> 10.65.48.16 (TCP) len=48 id=3492