cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Logging IPFilter traffic

Jump to solution

Running a firewall with 8.2.1 and I'm trying to clean up rules. One issue I have is with IP filter that are in use, but not showing usage in any report. I have my cf acl level set to 3, and I have tried the 'cf usage', 'gen_reports -r acl_usage' and even a 'acat -ae  "rule_name nameofruleinquestion". The IP Filter is currently set to audit=standard, if I crank it up to verbose, would that log the traffic? I've tried using ipfilter -v, but thats not really helping show what IP filters that are being used. Anyone have a way to audit IP filter traffic? Thanks!

1 Solution

Accepted Solutions
sliedl
Level 14
Report Inappropriate Content
Message 2 of 3

Re: Logging IPFilter traffic

Jump to solution

Yes, you need to turn the rule auditing to Verbose.  Also, you can go to the Generic app. defense for this rule (every rule has an App. Def. Group and every AppDef Group has a 'Generic' app. defense), and click the 'Other IP Filter Settings' tab.  There is a checkbox for 'Provide informational audits every ___ requests' there.  I'd start with something like 10; there is no 'good' value because it all depends on the type/amount of traffic going through this rule (and any other rule using this Generic defense that is set to Verbose audit).  Checking this box will show 'session continue' audits for this rule while packets are going through it.

The 'cf reports' command (old command: gen_reports) does not report on some types of traffic correctly.  You should upgrade to 8.3.2P03 where the reporting is fixed if you'd like to use those reports.  At 8.3.2P03 the 'cf usage' command has some more built-in report types which you might find useful and which are not in the earlier versions.

View solution in original post

2 Replies
sliedl
Level 14
Report Inappropriate Content
Message 2 of 3

Re: Logging IPFilter traffic

Jump to solution

Yes, you need to turn the rule auditing to Verbose.  Also, you can go to the Generic app. defense for this rule (every rule has an App. Def. Group and every AppDef Group has a 'Generic' app. defense), and click the 'Other IP Filter Settings' tab.  There is a checkbox for 'Provide informational audits every ___ requests' there.  I'd start with something like 10; there is no 'good' value because it all depends on the type/amount of traffic going through this rule (and any other rule using this Generic defense that is set to Verbose audit).  Checking this box will show 'session continue' audits for this rule while packets are going through it.

The 'cf reports' command (old command: gen_reports) does not report on some types of traffic correctly.  You should upgrade to 8.3.2P03 where the reporting is fixed if you'd like to use those reports.  At 8.3.2P03 the 'cf usage' command has some more built-in report types which you might find useful and which are not in the earlier versions.

View solution in original post

Re: Logging IPFilter traffic

Jump to solution

Awesome info. Thanks!

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community