2 Replies Latest reply on Jun 27, 2014 9:00 AM by vetterous

    Logging IPFilter traffic

    vetterous

      Running a firewall with 8.2.1 and I'm trying to clean up rules. One issue I have is with IP filter that are in use, but not showing usage in any report. I have my cf acl level set to 3, and I have tried the 'cf usage', 'gen_reports -r acl_usage' and even a 'acat -ae  "rule_name nameofruleinquestion". The IP Filter is currently set to audit=standard, if I crank it up to verbose, would that log the traffic? I've tried using ipfilter -v, but thats not really helping show what IP filters that are being used. Anyone have a way to audit IP filter traffic? Thanks!

        • 1. Re: Logging IPFilter traffic
          sliedl

          Yes, you need to turn the rule auditing to Verbose.  Also, you can go to the Generic app. defense for this rule (every rule has an App. Def. Group and every AppDef Group has a 'Generic' app. defense), and click the 'Other IP Filter Settings' tab.  There is a checkbox for 'Provide informational audits every ___ requests' there.  I'd start with something like 10; there is no 'good' value because it all depends on the type/amount of traffic going through this rule (and any other rule using this Generic defense that is set to Verbose audit).  Checking this box will show 'session continue' audits for this rule while packets are going through it.

           

          The 'cf reports' command (old command: gen_reports) does not report on some types of traffic correctly.  You should upgrade to 8.3.2P03 where the reporting is fixed if you'd like to use those reports.  At 8.3.2P03 the 'cf usage' command has some more built-in report types which you might find useful and which are not in the earlier versions.

          • 2. Re: Logging IPFilter traffic
            vetterous

            Awesome info. Thanks!