Hi there
Anybody know it is possible to create an alert for devices which are shunned by the firewall?
Thanks
Which firewall?
For a Cisco device, you should be able to track when policy changes are being made and look for the 'shun' command being ran. Or, shunned IPs should trigger a different block message than regular blocked traffic, and you could track that.
Thanks for the information.
Yes it is a Cisco - I do not have access to our firewall and the network engineer is not here to query this with
I am just looking at "All Firewall Events" in LEM - checking event info...any idea what the "event info" is for a shun? I can see "ACL Inside Access in Denied TCP Packet" - this could be it?
Thanks
With the Cisco device, if traffic is shunned, it should generate a different message than the ACL blocks. The event you pasted, "ACL Inside Access in Denied TCP Packet," is telling you that your "Inside Access in" is what blocked the traffic. A shun is a little bit different.
Looking at the shun command, you can't actually turn off logging (some firewalls let you turn off logs for blacklisted/shunned IPs), so you should see messages if a shun is hit.
Here's some thoughts of messages to look for, from Cisco ASA Series Syslog Messages - Syslog Messages 101001-520025 [Cisco ASA 5500-X Series Firewalls] - Cisco
401002 - Shun Added
Error Message %ASA-4-401002: Shun added: IP_address IP_address port port
401003 - Shun Deleted
Error Message %ASA-4-401003: Shun deleted: IP_address
401004 - Shunned traffic detected
Error Message %ASA-4-401004: Shunned packet: IP_address = IP_address on interface interface_name
You will see these strings - 401002, 401003, 401004 - in the ProviderSID field coming from LEM. It should include literally "ASA-4-401004" but if someone has changed the severity manually the 4 will be something else. Easiest approach is probably to clone your firewall filter or create a new one that looks for "Any Alert.ProviderSID = *40100*" (or explicitly 401004, 401003, or 401002 depending on what you want to look for).
Thanks for the info - that is helpful.
I am just creating the rule now - I am new to LEM. Can you point me in the right direction with how to enable this? I have got the correlation in but I am unsure of how to specify our firewall which is being monitored.
Many thanks
The firewall reporting the shun should be the DetectionIP field. If you look at the events in the LEM console, you should be able to tell if it's the IP or name of the device being reported. (You could potentially use the ToolAlias field and look for something like Cisco* if you wanted to look for ALL firewalls.)
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.