Hi there
Anybody know it is possible to create an alert for devices which are shunned by the firewall?
Thanks
Which firewall?
For a Cisco device, you should be able to track when policy changes are being made and look for the 'shun' command being ran. Or, shunned IPs should trigger a different block message than regular blocked traffic, and you could track that.
Thanks for the information.
Yes it is a Cisco - I do not have access to our firewall and the network engineer is not here to query this with
I am just looking at "All Firewall Events" in LEM - checking event info...any idea what the "event info" is for a shun? I can see "ACL Inside Access in Denied TCP Packet" - this could be it?
With the Cisco device, if traffic is shunned, it should generate a different message than the ACL blocks. The event you pasted, "ACL Inside Access in Denied TCP Packet," is telling you that your "Inside Access in" is what blocked the traffic. A shun is a little bit different.
Looking at the shun command, you can't actually turn off logging (some firewalls let you turn off logs for blacklisted/shunned IPs), so you should see messages if a shun is hit.
Here's some thoughts of messages to look for, from Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Firewalls] - Cisco
401002 - Shun Added
Error Message %ASA-4-401002: Shun added: IP_address IP_address port port
401003 - Shun Deleted
Error Message %ASA-4-401003: Shun deleted: IP_address
401004 - Shunned traffic detected
Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name
You will see these strings - 401002, 401003, 401004 - in the ProviderSID field coming from LEM. It should include literally "ASA-4-401004" but if someone has changed the severity manually the 4 will be something else. Easiest approach is probably to clone your firewall filter or create a new one that looks for "Any Alert.ProviderSID = *40100*" (or explicitly 401004, 401003, or 401002 depending on what you want to look for).
Thanks for the info - that is helpful.
I am just creating the rule now - I am new to LEM. Can you point me in the right direction with how to enable this? I have got the correlation in but I am unsure of how to specify our firewall which is being monitored.
Many thanks
