![](/user_photo/1438_p9ksI.png)
- •Icons Used in This Book
- •Network Security
- •Vulnerabilities
- •Threats
- •Types of Attacks
- •Network Security Policy
- •AVVID and SAFE
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Firewall Technologies
- •Cisco PIX Firewall
- •Foundation Summary
- •The Cisco Secure PIX Firewall
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of the Cisco PIX Firewall
- •Cisco PIX Firewall Models and Features
- •Foundation Summary
- •System Maintenance
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Accessing the Cisco PIX Firewall
- •Installing a New Operating System
- •Upgrading the Cisco PIX OS
- •Creating a Boothelper Diskette Using a Windows PC
- •Auto Update Support
- •Password Recovery
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How the PIX Firewall Handles Traffic
- •Address Translation
- •Translation Versus Connection
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Access Modes
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •TurboACL
- •Object Grouping
- •Advanced Protocol Handling
- •Foundation Summary
- •Syslog
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •How Syslog Works
- •How Log Messages Are Organized
- •How to Read System Log Messages
- •Disabling Syslog Messages
- •Foundation Summary
- •Cisco PIX Firewall Failover
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •What Causes a Failover Event
- •What Is Required for a Failover Configuration
- •Failover Monitoring
- •Stateful Failover
- •LAN-Based Failover
- •Foundation Summary
- •Virtual Private Networks
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of VPN Technologies
- •Cisco VPN Client
- •PPPoE Support
- •Foundation Summary
- •Scenario
- •Completed PIX Configurations
- •PIX Device Manager
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •PDM Overview
- •PIX Firewall Requirements to Run PDM
- •Foundation Summary
- •Content Filtering with the Cisco PIX Firewall
- •“Do I Know This Already?” Quiz
- •Filtering Java Applets
- •Filtering ActiveX Objects
- •Filtering URLs
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Overview of AAA and the Cisco PIX Firewall
- •Cisco Secure Access Control Server (CSACS)
- •Foundation Summary
- •How to Best Use This Chapter
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Specifying Your AAA Servers
- •Troubleshooting Your AAA Setup
- •Foundation Summary
- •“Do I Know This Already?” Quiz
- •Foundation Topics
- •Multimedia Support on the Cisco PIX Firewall
- •Attack Guards
- •PIX Firewall’s Intrusion Detection Feature
- •ip verify reverse-path Command
- •Foundation Summary
- •Answers to the “Do I Know This Already?” Quizzes and Q&A Questions
- •Chapter 1
- •Chapter 2
- •Chapter 3
- •Chapter 4
- •Chapter 5
- •Chapter 6
- •Chapter 7
- •Chapter 8
- •Chapter 9
- •Chapter 10
- •Chapter 11
- •Chapter 12
- •Chapter 13
- •Chapter 14
- •Chapter 15
- •Appendix B
- •What’s Wrong with This Picture?
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb167x1.jpg)
How Log Messages Are Organized 137
To configure the PIX to receive SNMP requests from a management station, you need to
•Configure the IP address of the SNMP management station with the snmp-server host command.
•Set the snmp-server options for location, contact, and the community password as required.
To configure SNMP traps on the PIX, you need to
•Configure the IP address of the SNMP management station with the snmp-server host command.
•Set the snmp-server options for location, contact, and the community password as required.
•Set the trap with the snmp-server enable traps command.
•Set the logging level with the logging history command.
How Log Messages Are Organized
Syslog messages are listed numerically by message code. Each message is followed by a brief explanation and a recommended action. If several messages share the same explanation and recommended action, the messages are presented together, followed by the common explanation and recommended action.
The explanation of each message indicates what kind of event generated the message. Possible events include the following:
•AAA (accounting, authentication, and authorization) events
•Connection events (for example, connections denied by the PIX configuration or address translation errors)
•Failover events reported by one or both units of a failover pair
•FTP/URL events (for example, successful file transfers or blocked Java applets)
•Mail Guard/SNMP events
•PIX management events (for example, configuration events or Telnet connections to the PIX console port)
•Routing errors
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb168x1.jpg)
138 Chapter 8: Syslog
How to Read System Log Messages
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%PIX-level-message_number: message_text
•PIX identifies the message facility code for messages generated by the PIX Firewall.
•level reflects the severity of the condition described by the message. The lower the number, the more serious the condition.
•message_number is the numeric code that uniquely identifies the message.
•message_text is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers, or usernames.
You can find more information on syslog messages at www.cisco.com/univercd/cc/td/doc/ product/iaabu/pix/pix_v52/syslog/pixemsgs.htm#11493.
Disabling Syslog Messages
It is possible to single out syslog messages that you do not want to receive by simply instructing the PIX not to log that particular message. Table 8-3 shows the commands used to manage the type of individual syslog messages sent by the Cisco PIX Firewall.
Table 8-3 |
Syslog Message Management Commands |
|
|
|
|
|
Command |
Description |
|
|
|
|
no logging message message_number |
Disables syslog messages. |
|
|
|
|
show logging disabled |
Displays a list of disabled syslog messages. |
|
|
|
|
logging message message_number |
Re-enables disabled syslog messages. |
|
|
|
|
clear logging message |
Re-enables all disabled syslog messages. |
|
|
|
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb169x1.jpg)
Foundation Summary 139
Foundation Summary
The syslog message facility in the Cisco PIX Firewall is a useful means to view troubleshooting messages and to watch for network events such as attacks and service denials. Syslog messages can be configured to be sent to
•
•
•
•
•
•
PDM logging
Console
Telnet console
Internal memory/buffer
Syslog server
SNMP management station
Common to all ways of viewing syslog messages is the message’s level, or severity. The level specifies the types of messages sent to the syslog host, as shown in Table 8-4.
Table 8-4 |
Logging Severity Levels |
|
|
|
|
|
|
|
Level |
Numeric Code |
System Condition |
|
|
|
|
|
Emergency |
0 |
System unusable message |
|
|
|
|
|
Alert |
1 |
Take immediate action |
|
|
|
|
|
Critical |
2 |
Critical condition |
|
|
|
|
|
Error |
3 |
Error message |
|
|
|
|
|
Warning |
4 |
Warning message |
|
|
|
|
|
Notification |
5 |
Normal but significant condition |
|
|
|
|
|
Informational |
6 |
Information message |
|
|
|
|
|
Debug |
7 |
Debug message, log FTP commands, and WWW URLs |
|
|
|
|
System log messages received at a syslog server begin with a percent sign (%) and are structured as follows:
%PIX-level-message_number: message_text
You can set the level with the logging command so that you can view syslog messages on the PIX Firewall console, from a syslog server, or with SNMP.
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb170x1.jpg)
140 Chapter 8: Syslog
Q&A
The questions in this section are designed to ensure your understanding of the concepts discussed in this chapter and adequately prepare you to complete the exam. You should use the simulated exams on the CD to practice for the exam.
The answers to these questions can be found in Appendix .
1What is the command for sending syslog messages to the Telnet session?
A logging console
Blogging monitor
Ctelnet logging
Dsend log telnet
2What is the logging trap command used for?
3True or false: PFSS stands for PIX Firewall System Solution.
4PIX Firewall can be configured to send syslog messages to all of the following except which one?
AConsole
BTelnet
CSerial
DSyslog server
5Which of the following is not an example of a severity level for syslog configuration?
A Emergency
B Alert
CPrepare
DWarning
6 What is syslogd?
AA message type that forms the syslog services
BA service that runs on UNIX machines
CA hardware subcomponent that is required for syslog configuration on the PIX
DIt gathers information on IT businesses in Japan.
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb171x1.jpg)
Q&A 141
7What port does syslogd use by default?
A UDP 512
B TCP 514
C TCP 512
D UDP 514
8True or false: The default facility number on the PIX Firewall is 18.
9How are syslog messages organized?
AThey are listed numerically by message code.
BThey are listed by importance level.
CThey are listed by date.
DThey are not organized.
10True or false: It is possible to disable specific syslog messages.
11Windows NT 4.0 server can work as a syslog server with what?
A IIS configured for logging
B PIX Firewall Syslog Server application installed
C PIX Device Manager
D UNIX
![](/html/1438/356/html_UNPyANYdy5.0ynH/htmlconvd-fLe6Jb172x1.jpg)
This chapter covers the following exam topics for the Secure PIX Firewall Advanced Exam (CSPFA 9E0-111):
33.Understanding failover
34.Failover configuration
35.LAN-based failover configuration