This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Firewall Shun

Hi there

Anybody know it is possible to create an alert for devices which are shunned by the firewall?

Thanks

  • FormerMember
    0 FormerMember

    Which firewall?

    For a Cisco device, you should be able to track when policy changes are being made and look for the 'shun' command being ran. Or, shunned IPs should trigger a different block message than regular blocked traffic, and you could track that.

  • Thanks for the information.

    Yes it is a Cisco - I do not have access to our firewall and the network engineer is not here to query this with

    I am just looking at "All Firewall Events" in LEM - checking event info...any idea what the "event info" is for a shun? I can see "ACL Inside Access in Denied TCP Packet" - this could be it?

    Thanks

  • FormerMember
    0 FormerMember in reply to lem123

    With the Cisco device, if traffic is shunned, it  should generate a different message than the ACL blocks. The event you pasted, "ACL Inside Access in Denied TCP Packet," is telling you that your "Inside Access in" is what blocked the traffic. A shun is a little bit different.

    Looking at the shun command, you can't actually turn off logging (some firewalls let you turn off logs for blacklisted/shunned IPs), so you should see messages if a shun is hit.

    Here's some thoughts of messages to look for, from Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Firewalls] - Cisco

    401002 - Shun Added

    Error Message %ASA-4-401002: Shun added: IP_address IP_address port port

    401003 - Shun Deleted

    Error Message %ASA-4-401003: Shun deleted: IP_address

    401004 - Shunned traffic detected

    Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name

    You will see these strings - 401002, 401003, 401004 - in the ProviderSID field coming from LEM. It should include literally "ASA-4-401004" but if someone has changed the severity manually the 4 will be something else. Easiest approach is probably to clone your firewall filter or create a new one that looks for "Any Alert.ProviderSID = *40100*" (or explicitly 401004, 401003, or 401002 depending on what you want to look for).

  • Thanks for the info - that is helpful.

    I am just creating the rule now - I am new to LEM. Can you point me in the right direction with how to enable this? I have got the correlation in but I am unsure of how to specify our firewall which is being monitored.

    Many thanks

    lem.PNG

  • FormerMember
    0 FormerMember in reply to lem123

    The firewall reporting the shun should be the DetectionIP field. If you look at the events in the LEM console, you should be able to tell if it's the IP or name of the device being reported. (You could potentially use the ToolAlias field and look for something like Cisco* if you wanted to look for ALL firewalls.)