Community:PIX Firewall

From Splunk Wiki

(Redirected from Apps:PIX Firewall)
Jump to: navigation, search

The information on this page is specific to CISCO PIX. If you are interested in Cisco ASA or Cisco Firewall Service Manager check the specific pages. Although, most of the information on this pages is still valid.


Configure your PIX to send UDP syslog to a Splunk instance listening for syslog on port 514.

Command to configure this:

     logging host #.#.#.#
     logging timestamp

In addition, you can set the facility that is used for the syslog message:

     logging facility X

To exclude specific messages, you can use the following command on your PIX:

     no logging message 111005

There are some limitations with syslog.

Logging Recommendations

Depending on your use-case you need to adopt your configuration of what exact messages to log. Refer to the firewall logging recommendations for generic information about firewall logging.

PIX logging settings
Message Classes Use-case Command
Alert These messages indicate that action has been taken by the security appliance to resolve a problem or that action needs to be taken by the administrator because of an interface failure, unit standby failure, or bad cables. An administrator should always follow up on an alert message. logging trap alert
Critical These messages indicate that traffic has been blocked or dropped, that spoofed traffic has been detected, or that flags are invalid in traffic. An administrator should usually follow up on critical messages. logging trap critical
Error These error messages are specific to security appliance resources such as xlate failures and translation slot failures. An administrator should always follow up on error messages. logging trap error
Warning These messages are generally warnings about connection problems. Many of these problems might be cleared up by the protocols on either end, but an administrator might have to follow up on these warning messages. logging trap warning
Notification These messages are a mix of notifications of what a security appliance logged-in user is doing on the machine and some messages about Java and ActiveX blocking. An administrator should look at these messages to ensure that unauthorized changes are not being made to the security appliance. logging trap notification
Informational These messages describe connections being built and torn down through the security appliance. In most cases, these messages don't need to be audited by an administrator unless users report that they are having problems with specific connections or services. logging trap informational
Debugging These messages are mostly related to IPSec. An administrator uses these messages when bringing up an IPSec tunnel for the first time. For the other debug messages, refer to the Security Appliance technical documentation on the Cisco website. logging trap debugging

The following is a list of recommended messages to log (use the command from above to enable each of them):

   * PIX-1-106100   Generated for every permit or deny flow passing through the PIX firewall v7.x and later
   * PIX-2-106100
   * PIX-3-313001
   * PIX-3-710003
   * PIX-4-106023
   * PIX-6-106015
   * PIX-6-302013
   * PIX-6-302015
   * PIX-7-710002
   * PIX-7-710005

If you have the PIX IDS module installed in your PIX, the following are the messages you are interested in:

   * PIX-4-400008
   * PIX-4-400010
   * PIX-4-400011
   * PIX-4-400014
   * PIX-4-400015
   * PIX-4-400023
   * PIX-4-400028

If you are interested in additional messages about the traffic passing through your firewall, turn the following messages on as well:

   * PIX-3-403503   Link down
   * PIX-4-402106   Received a packet that is not an IPSec packet
   * PIX-4-411001   Line protocol change
   * PIX-5-111001
   * PIX-5-111004
   * PIX-5-111005
   * PIX-5-111007
   * PIX-5-111008
   * PIX-5-199001
   * PIX-5-501101
   * PIX-5-502101
   * PIX-5-502103
   * PIX-5-611103
   * PIX-6-109005
   * PIX-6-109006
   * PIX-6-110001
   * PIX-6-199002
   * PIX-6-308001
   * PIX-6-315011
   * PIX-6-603108
   * PIX-6-603109
   * PIX-6-605004
   * PIX-6-605005
   * PIX-6-611101
   * PIX-6-611102
   * PIX-7-111009
   * PIX-7-710001

We recommend to exclude the following messages:

   * PIX-6-302010
   * PIX-6-302014
   * PIX-6-302016
   * PIX-6-305011
   * PIX-6-305012
   * PIX-6-609001
   * PIX-6-609002

TODO: - map above messages back to use-cases


Once your data is fed into Splunk, you should download the PIX Application, which defines field extractions for the most common PIX messages. If you want to set up your own field extractions, make sure you follow the Common Information Model when naming the fields. You can also find more information about field extractions in the Splunk documentation.


For firewalls, there is a set of common firewall reports that you should try for generic firewall reporting.

These are some PIX specific reports that you might be interested in:

- summary indexing

Personal tools
Hot Wiki Topics

About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk