Blog :: General :: Network Operations :: Security Operations

Cisco Zone-Based Firewall Logging Support

We recently upgraded a few of our Cisco IOS routers to version 15.4(2)T and enabled zone-based firewall logging, which allowed us to export firewall logs in NetFlow!  Check out the rest of the blog on what event types Cisco supports and an example configuration!

A Zone-Based Policy Firewall, also known as Zone-Policy Firewall or ZFW, changes the firewall configuration from the interface-based model to a zone-based model.  Interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones.  Figure 1 shows an example of these zones, here we have 3 – the DMZ, Private (LAN), and Internet (WAN) zones.



Figure 1: Basic Security Zone Topology [Source: Cisco]

Whether you already have the zones setup or are just starting out, the firewall event logs being exported in Cisco NetFlow is new for everyone (at the time of this blog)!  From the Cisco documentation on Zone-Based Firewall NetFlow Support, the router can now export the following event types:

  •  Audit Events
    • Start Audit Record and Stop Audit Record.
    • Logs messages when sessions are created and deleted.
  •  Drop Events
    • Packet Drop notifications.
    • Logs messages when the following events are dropped—unknown protocols, unseen flows, Out-of-Order (OoO) packets, etc.
  •  Alert Events
    • TCP Half Open Alert
    • Half Open Session Alert
    • Maximum-Open sessions
    • Logs TCP half-open alert messages when the TCP half-open alert threshold values exceed the configured limit.

Now that we know the events we can collect, we need to setup the configuration on the router.  The process for this as follows:

  1. Define a flow exporter and option templates.
  2. Attach the flow exporter to a global parameter map.

Zone-Based Firewall NetFlow Configuration Example

flow exporter export-to-scrutinizer
description flexible NF v9
destination 10.xx.xx.xx
source Loopback0
transport udp 2055
template data timeout 60
option interface-table
option exporter-stats
option application-table
option inspect-class-table
option inspect-protocol-table
option inspect-ext-event-table
option inspect-zonepair-table
parameter-map type inspect global
alert on
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
exporter export-to-scrutinizer

Cisco NetFlow Firewall Logging Support

By looking at the NetFlow data, you are be able to see these Firewall events (see Figure 2).  We have a pair host-to-host report showing both the firewall event and the summation of that event in the given time frame.


Figure 2: Cisco Zone-Based Firewall Log Export Support

We need to keep in mind some differences with this NetFlow Export.  This export is a NetFlow version 9 biflow (exports both bytes and reverse bytes) and if a flow is denied it will show the conversation having 0 bytes (from reverse bytes).  Also, no interfaces or no packet counters are exported.  Even with these caveats, the data we can gain insight into is useful from a correlation and a security forensic investigation standpoint.  Having this event data in NetFlow allows us to quickly go from firewall log events to “typical” NetFlow tuple data.

More on Firewall Logging Support

If you found this blog on zone-based firewall logging helpful, check out this webcast on Cisco High Speed LoggingThe webcast goes over how to leverage built-in support for HSL flow exports, which provide details on NAT, firewall events, zones, classes, VRF, NBAR, and more.  If you have any questions on setting up your Cisco NetFlow exports, feel free to comment below or reach out to the Plixer Support Team at 207-324-8805 x4.