User`s guide

328 XSR User’s Guide

XSR Firewall Feature Set Functionality Chapter 13

Configuring Security on the XSR

Alarm Logging - The XSR supports Console and Syslog logging and provides

session usage data using the allow-log/log options. If you want to enable

persistent logging which preserves logs after a system reboot, you must install

a CompactFlash memory card in the XSR. Logs stored in Flash are purged

during a system reboot unless the XSR senses the presence of CompactFlash.

Alarms - The XSR generates firewall alarms in the following categories:

 TCP and UDP packets

– Permitted connect and disconnect

– Blocked connects and disconnects

– Blocked data packet

– Individual packet logging per user configured firewall policy (by

stipulating

allow_log or log)

 IP option Permit or Deny logs

 Other Protocols Permit or Deny Logs

– OS P F, ES P, R I P, G R E

– ICMP

– Broadcast, multicast

 Specific FTP, HTTP and SMTP requests logs

 Flooding attacks (TCP, UDP, ICMP) logs

 Firewall start and restart

 Failures (out of memory)

A sample Web access (port 80) permit alarm, which logs at level 4, displays:

FW: Permit: Port-2, Out TCP Con_Req, 10.10.10.10(1042) -> 192.168.1.200(80)

FW: TCP new session request. 10.10.10.10(1042) -> 192.168.1.200(80)

FW: Permit: Port-1, TCP Con_Est, 192.168.1.200(80) -> 10.10.10.10(1042)

FW: TCP connection closed 192.168.1.200(80) -> 10.10.10.10(1042)

A sample client open connection to the FTP server (port 21) alarm displays:

FW: Permit: Port-1, Out TCP Con_Req, 10.10.10.10(1056) -> 192.168.1.100(21)

FW: TCP new session request. 10.10.10.10(1056) -> 192.168.1.100(21)

FW: Permit: Port-1, TCP Con_Est, 192.168.1.100(21) -> 10.10.10.10(1056)

The IP addresses cited in firewall alarms are selected as follows:

– If a syslog server is configured, alarms will contain the XSR IP

address that is used to contact the syslog server.