4 Replies Latest reply on Apr 27, 2012 5:06 PM by nicole pauls

    FEATURE REQUEST: Track Cisco firewall NAT builds in LEM normalized database

    gary.landau

      I believe it would be a great value for the LEM database to collect NAT information so that one can identify who traffic is originating from.  The LEM would need to track the internal (private) IP that is associated with a public IP address and port number at a specified date and time.  Tracking the associated user of the private IP would be an even bigger plus.  This type of forensic information is essential in investigating copyright violations and other security issues.

       

      Currently, the LEM discards (Cisco ASA firewall) syslog information about NAT builds and teardowns.  At least there is a workaroundm which is to enable the raw log collection.  However, this consumes are great deal of storage and isn't as readily searchable.  Adding this functionality would help the LEM become a better security tool.

        • Re: FEATURE REQUEST: Track Cisco firewall NAT builds in LEM normalized database
          nicole pauls

          With regards to the buildup NAT events from the ASA, we've actually recently developed a mechanism where customers can "opt in" to receiving these events in their normalized alert stream by reassigning their severity level to one we'll look for and normalize.

           

          There are a few things to consider:

          1. If it's "accepted traffic" that you're interested in monitoring, consider using the "log" target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you're made aware of.
          2. If it's the information about the actual NAT (as posted above) that you're interested in monitoring, consider the event load this will create. You might want to plan a "test phase" where you turn it on, determine if it's valuable to you for investigating (try some test scenarios), and then turn it off if you determine it's more noise than it's worth. Some people do find value in it, some people choose to turn it back off because of the noise.
          3. You can always consider the nDepth original log message store, as described above, if you're interested in unmodified log data (vs. the normalized data). For some people, this is a better solution, but it does consume disk space.
          4. Consider whether you need both buildups and teardowns, or just buildup messages. The teardown NAT messages include the same info as the built messages, along with some duration and size info that may or may not be useful. A lot of colleges & universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
          5. Look at your own syslog data to determine which buildup and/or teardown events are of interest and use to you. There's a big list, but if it's really only one or two you care about, you can just enable those instead of everything.

           

          To enable the buildup NAT events to be caught by the latest LEM connector, you'll need to adjust the severity level of those events to "0" from "6" (the default). For info about changing the severity level of an ASA message, check out this Cisco command reference link.  The primary "built" event you'll be interested in for TCP tracking is 302013. Others include 302015, 302017, 302020, 302303, 305009, 305011, and 609011, but you'll want to check the descriptions in the Cisco System Log Messages Guide (will take a bit to load) to make sure those are of interest to you. LEM out of the box will capture 302003, 302009, and 603108 as we've determined these are low-noise high-relevance.

           

          Similarly, you can enable teardown NAT events. The teardown sibling to 302013 is 302014, but others include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. LEM out of the box will capture 603019 (the sibling to 603019).

           

          Currently if you follow these instructions the LEM connector download out on the portal will only capture the buildup NAT TCP event, but we're working on an update that will capture the others after multiple customer requests. You can prepare by following these instructions (the events will be dropped for now), and I'll update this post when that update is live.

          • Re: FEATURE REQUEST: Track Cisco firewall NAT builds in LEM normalized database
            nicole pauls

            Also, Gary, I think support contacted you yesterday with the same answer, but I'm happy to close the loop here on thwack, too!