5 Replies Latest reply on May 17, 2016 8:32 AM by nicole pauls

    Firewall Shun

    lem123

      Hi there

       

      Anybody know it is possible to create an alert for devices which are shunned by the firewall?

       

      Thanks

        • Re: Firewall Shun
          nicole pauls

          Which firewall?

           

          For a Cisco device, you should be able to track when policy changes are being made and look for the 'shun' command being ran. Or, shunned IPs should trigger a different block message than regular blocked traffic, and you could track that.

            • Re: Firewall Shun
              lem123

              Thanks for the information.

               

              Yes it is a Cisco - I do not have access to our firewall and the network engineer is not here to query this with

               

              I am just looking at "All Firewall Events" in LEM - checking event info...any idea what the "event info" is for a shun? I can see "ACL Inside Access in Denied TCP Packet" - this could be it?

               

              Thanks

                • Re: Firewall Shun
                  nicole pauls

                  With the Cisco device, if traffic is shunned, it  should generate a different message than the ACL blocks. The event you pasted, "ACL Inside Access in Denied TCP Packet," is telling you that your "Inside Access in" is what blocked the traffic. A shun is a little bit different.

                   

                  Looking at the shun command, you can't actually turn off logging (some firewalls let you turn off logs for blacklisted/shunned IPs), so you should see messages if a shun is hit.

                   

                  Here's some thoughts of messages to look for, from Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Firewalls] - Cisco

                   

                  401002 - Shun Added

                  Error Message %ASA-4-401002: Shun added: IP_address IP_address port port

                   

                  401003 - Shun Deleted

                  Error Message %ASA-4-401003: Shun deleted: IP_address

                   

                  401004 - Shunned traffic detected

                  Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name

                   

                  You will see these strings - 401002, 401003, 401004 - in the ProviderSID field coming from LEM. It should include literally "ASA-4-401004" but if someone has changed the severity manually the 4 will be something else. Easiest approach is probably to clone your firewall filter or create a new one that looks for "Any Alert.ProviderSID = *40100*" (or explicitly 401004, 401003, or 401002 depending on what you want to look for).

                    • Re: Firewall Shun
                      lem123

                      Thanks for the info - that is helpful.

                       

                      I am just creating the rule now - I am new to LEM. Can you point me in the right direction with how to enable this? I have got the correlation in but I am unsure of how to specify our firewall which is being monitored.

                       

                      Many thanks

                       

                      lem.PNG

                        • Re: Firewall Shun
                          nicole pauls

                          The firewall reporting the shun should be the DetectionIP field. If you look at the events in the LEM console, you should be able to tell if it's the IP or name of the device being reported. (You could potentially use the ToolAlias field and look for something like Cisco* if you wanted to look for ALL firewalls.)