PDA

View Full Version : log no nat?



jflemingeds
2015-12-03, 12:26
Does anyone know if there is a way to log no nat hits? I have some rather large nat policies and it would be really helpful if tracker would log any nat rule hit, even if it did a original on the translated side.

jdmoore0883
2015-12-03, 12:59
The NATing info is logged and stored already. The logs for the accepted traffic will also show all applicable NATs that take place on it. Double-click the log entry to open the details and in there you will find the NATing info (if applicable).

Unlike the firewall rules however, there is no hit counters on the NATs.

jflemingeds
2015-12-03, 14:16
The NATing info is logged and stored already. The logs for the accepted traffic will also show all applicable NATs that take place on it. Double-click the log entry to open the details and in there you will find the NATing info (if applicable).

Unlike the firewall rules however, there is no hit counters on the NATs.

Correct me if i'm wrong, but from what i've seen the rule numbers for nat policys are only logged when it matches a nat rule with some kind of translation done.

for example xlatesrc = 1.2.3.4 nat rule 15 (or something like that).

What i'm saying is i want to be able to log nat rules that don't do translation but still match the nat policy. For example say nat policy 10 does an src, orig, dst, orig, service, orig. This information isn't logged that i would like to see.

laf_c
2015-12-04, 05:19
Correct me if i'm wrong, but from what i've seen the rule numbers for nat policys are only logged when it matches a nat rule with some kind of translation done.

for example xlatesrc = 1.2.3.4 nat rule 15 (or something like that).

What i'm saying is i want to be able to log nat rules that don't do translation but still match the nat policy. For example say nat policy 10 does an src, orig, dst, orig, service, orig. This information isn't logged that i would like to see.

I agree that information is not logged but log action is firewall rule property NOT a NAT rule property. So if you add log action on your firewall rule and then your firewall rule uses a NAT exempt or no_NAT rule then you will also have this logged.

Furthermore if you look on tracker and see no nat info on a specific log entry this means it used one of your nat exempts rules.

mcnallym
2015-12-04, 11:21
Don't know if this will help you however in R77.30 under the Global Properties under NAT is an option

Enable NAT Audit Log

Cannot seem to find anything regarding what it does though but potentially sounds as may improve the NAT logging.

jflemingeds
2015-12-04, 11:25
I agree that information is not logged but log action is firewall rule property NOT a NAT rule property. So if you add log action on your firewall rule and then your firewall rule uses a NAT exempt or no_NAT rule then you will also have this logged.

Furthermore if you look on tracker and see no nat info on a specific log entry this means it used one of your nat exempts rules.

yes, i understand logging is set at the rule level and not NAT level.

What your saying doesn't to do doesn't help because a firewall rule can match more then one nat policy rule (src, dst, service (granted i almost never use that)).

jflemingeds
2015-12-04, 12:36
Don't know if this will help you however in R77.30 under the Global Properties under NAT is an option

Enable NAT Audit Log

Cannot seem to find anything regarding what it does though but potentially sounds as may improve the NAT logging.

I completely missed this, nice find. I'll see what it does. Hopefully its not just xlate build and tear down.