Newbie, need help deciphering firewall log files (Cisco ASA 5520)
"Your questions should be reasonably scoped. If you can imagine an entire book that answers your question, you’re asking too much."
The below information might help you along, but understanding the "why" and having experience knowing what is taking place is going to be crucial to determine whether the traffic is legitimate or not.
This is a connection-related message. This message is logged when a TCP connection is terminated. The duration and byte count for the session are reported. If the connection required authentication, the username is reported in the last field of the message.
The below indicates how the connection ended. Typical status indicators:
TCP FINs - The remote server tore down the connection (typical for HTTP or FTP connections)
TCP Reset-I - The client tore down the connection (typical in an SMTP or IMAP exchange)
TCP Reset-O - The server was not listening on that protocol at that time (usually seen as coming from SMTP servers)
- FIN Timeout - Forced termination after 15 seconds await for last ACK
- SYN Timeout - Forced termination after two minutes awaiting three-way handshake completion
- Deny - Terminated by application inspection
- SYN Control - Back channel initiation from wrong side
- Uauth Deny - Denied by URL filter
- Xlate Clear - Command-line removal (when the administrators sends the "clear xlate" command)
- Unknown - None of the indicators above (but yet terminated)
user177033
Updated on September 18, 2022Comments
-
user177033 almost 2 years
I'm not very familiar with firewall log files, or many of the terms involved in server connections. The lines in question involve a foreign, unauthorized IP interacting with a firewall (Cisco ASA 5520) over several months. What generally do the following terms deal with: FINs, Failover primary close, SYN Timeout, FIN Timeout, Teardown TCP connection, Deny tcp src? And does "Built inbound/outbound connection" actually mean that the IP address was successful in passing through the firewall, or just that it is part of the whole 'handshake' phase of connections (I suspect the latter but I'd like to be safe)? Some sample lines from the log file would be:
Teardown TCP connection for outside:* to webservers:* duration * TCP FINs Teardown TCP connection for outside:* to webservers:* duration * Failover primary close Teardown TCP connection for outside:* to filtering:* duration * SYN Timeout Built inbound TCP connection for outside:* to webservers:* Built outbound TCP connection for outside:* to filtering:* Built inbound TCP connection for outside:* to public:* Deny tcp src outside:* dst public:* by access-group "outside" Inbound TCP connection denied from * to * flags SYN on interface outside Teardown TCP connection for outside:* to public:* duration * FIN TimeoutIf anybody could point me in the right direction or provide any help, I would very much appreciate it. I'm just looking for that first leg up onto figuring this thing out. Thanks!