What to Look for in Firewall Logs - Firewall Fundamentals https://www.ccexpert.us/firewall-fundamentals/what-to-look-for-in-firewa...
Cisco Certified Expert » Firewall Fundamentals
Optional
What to Look for in Firewall Logs
Last Updated on Fri, 25 Jan 2019 | Firewall Fundamentals
After you have collected the firewall logs and begun the process of analyzing the logs, determine the you should be looking for in
the logs. With that said, it is important to remember not to fall into the looking in your firewall logs only for "bad" events. Yes,
firewall logs can be the key element in discov incidents and compromises, but that is only one of the reasons for analyzing your
logs. You also war to use the log information to assist in defining the baselines and normal operations of the firewall. A the easiest
ways to know whether behavior that has been logged is malicious is to know what the go and then note the exceptions.
The simple fact of the matter is that certain events should always raise suspicion when they are dete the most common events
that warrant further investigation are as follows:
• Authentication allowed.
• Traffic dropped (not addressed to the firewall).
• Firewall stop/start/restart.
• Firewall configuration changed.
• Interface up/down status changed.
• Administrator access granted.
• Connection was torn down.
• Authentication failed.
• Traffic dropped (addressed to the firewall).
• Administrator session ended.
The following sections explain these events in more detail. Authentication Allowed
Although it may seem rather innocuous at first glance, it is important to look for authentication-allow because they can identify
situations where access was granted by the firewall when it should not hav allowed. The reasons can range from legitimate
administrators logging on when they should not hav users logging on after compromising the account and password that they are
using.
In addition, if your firewall is configured to authenticate user access, this event can be used to ident have been authenticated for
whatever function they are attempting to perform.
Traffic Dropped (Not Addressed to the Firewall)
Most firewalls will have some resources that they are protecting. Traffic addressed to these servers < be processed by the firewall
and filtered accordingly. Although traffic-dropped messages can indicate someone is attempting to access a protected resource in
a manner other than what the firewall adm defined, a common cause of this event is a simple misconfiguration of the ruleset.
Therefore, if user access protected resources, it is important to review the logs to determine whether the firewall is dr traffic,
thereby pointing you in the direction of what may need to be fixed to provide access to the r< requested.
Firewall Stop/Start/Restart
The firewall should never stop, start, or restart without the firewall administrator knowing in advanc situation is going to occur.
This event can be caused by non-firewall-specific issues such as power fa as by firewall-specific issues such as the firewall
crashing or a high-availability failover, and therefor always be investigated in more detail to ascertain the root cause.
Firewall Configuration Changed
Almost all firewall configuration changes should be accompanied with the appropriate change contro documentation. This event
1 of 4 8/27/2019, 12:12 AM
�What to Look for in Firewall Logs - Firewall Fundamentals https://www.ccexpert.us/firewall-fundamentals/what-to-look-for-in-firewa...
always warrants further investigation to ensure that the changes that we legitimate and in accordance with expected results. In
fact, many SIM products can be configured tc comparison of the changed configuration against a "known good" configuration
when a firewall confi changed event occurs. In fact, some products such as NetIQ Security Manager can actually use that to
attempt to undo the changes that were made if they are found to be out of compliance with the k configuration.
Interface Up/Down Status Changed
Firewall interfaces transitioning from an up to a down status and vice versa can indicate problems w underlying network
configuration. This information can prove particularly helpful in situations where firewalls are implemented, because the network
interfaces transitioning to a down state could cause failover process to occur.
Administrator Access Granted
Whenever administrator access is granted, the corresponding event should be investigated. Althoug monitoring for authentication,
in this case we are looking explicitly at gaining administrator access. access is expected, and there is nothing suspicious or out of
order that warrants further review. Hov is not the case, this event rapidly becomes an extremely high-priority situation that must
be investie the implication can be that an administrator account has been compromised.
Connection Was Torn Down
The termination of connections is a relatively routine process that is a part of normal communicator event is particularly
important, however, is in listing the reason why the connection was torn down. the connection may have been torn down as a
result of SYN timeout, which can be an indicator that attempting to cause a denial of service, especially if there are a lot of events
of that nature. In detei cause of the connection tear down, it is important to review the firewall documentation for the teard For
example, Cisco Secure PIX Firewall version 7.0 message ID 302014 lists the potential reasons fo connection being torn down as
shown in Table 12-3.
Table 12-3. TCP Connection Teardown Reasons
Reason Description
Conn-timeout Connection ended because it was idle longer than the idle timeout.
Deny Terminate Flow was terminated by application inspection.
Failover primary closed The standby unit in a failover pair deleted a connectioi of a message received from the active unit
FIN Timeout Force termination after 10 minutes awaiting the last A half-closed timeout.
Flow closed by inspection Flow was terminated by inspection feature.
Flow terminated by IPS Flow was terminated by IPS.
Flow reset by IPS Flow was reset by IPS
Flow terminated by TCP intercept Flow was terminated by TCP Intercept.
Invalid SYN SYN packet not valid.
Idle Timeout Connection timed out because it was idle longer than t value.
IPS fail-close Flow was terminated due to IPS card down.
SYN Control Back channel initiation from wrong side.
SYN Timeout Force termination after 2 minutes awaiting three-way completion.
2 of 4 8/27/2019, 12:12 AM
�What to Look for in Firewall Logs - Firewall Fundamentals https://www.ccexpert.us/firewall-fundamentals/what-to-look-for-in-firewa...
TCP bad retransmission Connection terminated because of bad TCP retransmis
TCP FINs Normal close-down sequence.
TCP Invalid SYN Invalid TCP SYN packet.
TCP Reset-I Reset was from the inside.
TCP Reset-O Reset was from the outside.
TCP segment partial overlap Detected a partially overlapping segment.
TCP unexpected window size variation Connection terminated due to variation in the TCP win
Tunnel has been torn down Flow terminated because tunnel is down.
Unauth Deny Denied by URL filter.
Unknown Catchall error.
Xlate Clear Command-line removal
As you can see, reasons such as "Unauth Deny" or "Flow closed by inspection" can be indicators of r traffic and warrant more
concern and investigation than a reason such as "TCP ResetI" (which is a n of applications terminating their communications
session).
Authentication Failed
Authentication-failed events can be indicators of everything from users making a typo when they en password to malicious users
making a brute-force attack in an attempt to determine the password. Authentication-failed events should be examined in
particular detail when the account in question is or administrator-level account.
Traffic Dropped (Addressed to the Firewall)
These events are similar to the traffic dropped that is not addressed to the firewall, with the obvious being that in this case the
traffic is addressed to the firewall. As a general rule, the firewall should n traffic addressed directly to it on the external interface;
instead, all traffic should be destined for the being protected by the firewall. These events can be indicators of malicious users
attempting to gair firewall or a misconfiguration of things such as ICMP, IPsec, or management or routing protocols am should be
investigated in more detail to determine the exact nature of why the traffic was dropped.
Administrator Session Ended
Similar to administrator access being granted, administrator sessions ending should be monitored tc the administrator who had
access was supposed to have access. This type of event can also be used benchmark because only administrators should be able
to make changes to the firewall, and therefo should be investigated in more detail for the time preceding the administrator
session ending to see commands may have been run.
Was this article helpful?
+2 0
Basic SEO Explained
Struggling to Optimize Your Site for the Search Engines? Uncover What You Need to Know to Perform
Basic SEO on Your Site, and Help Get it Listed in the Powerful Search Engines. Are YOU Ready to Climb
Your Way Up The Search Engine Rankings and Start Getting the FREE Traffic You're Looking For?
3 of 4 8/27/2019, 12:12 AM
�What to Look for in Firewall Logs - Firewall Fundamentals https://www.ccexpert.us/firewall-fundamentals/what-to-look-for-in-firewa...
Hundreds of places claim they can give you top rankings, but wouldn't you rather just learn how to do
it on your own so you can repeat the process on any future site you build?
« Previous Page Next Page »
Related Posts
Get Paid to Write at Home
Online Data Entry Jobs
Study Material For Cisco Students
Application Layer Filtering
Stateful Inspection - Firewall Fundamentals
The OSI Model - Firewall Fundamentals
The Department of Defense DoD Model
How Net Filter Works - Firewall Fundamentals
Responses
bruno
What to look for in my firewall logs?
Reply
9 months ago
kristian
What to look for in firewall event log?
Reply
7 months ago
Post a comment
Comment
About | Contact | Write For Us | Shop | Privacy Policy | Resources
4 of 4 8/27/2019, 12:12 AM
