Pix syslog meldingen ( Messages 106001 to 112001 )

In Cisco , Pix Firewall , door: Martin Gepubliceerd op





Messages 106001 to 112001

Log Message %PIX-2-106001: Inbound TCP connection denied from IP_addr/port
to IP_addr/port flags TCP_flags

Explanation This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible TCP_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it was dropped. The TCP_flags in this packet are FIN,ACK.

The TCP_flags are as follows:

•ACK—The acknowledgment number was received.

•FIN—Data was sent.

•PSH—The receiver passed data to the application.

•RST—The connection was reset.

•SYN-—Sequence numbers were synchronized to start a connection.

•URG—The urgent pointer was declared valid.



Recommended Action:
None required.

Log Message %PIX-2-106002: protocol Connection denied by outbound list
list_ID src laddr lport dest faddr fport

Explanation This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable is 1 for ICMP, 6 for TCP, and 17 for UDP. In some 4.4 versions, protocol may also display as the protocol name; such as, TCP.

For ICMP connections, fport may also be one of the following values corresponding to the ICMP message type:

•0 - Echo Reply

•3 - Destination Unreachable

•4 - Source Quench

•5 - Redirect

•8 - Echo Request

•11 - Time Exceeded

•12 - Parameter Problem

•13/14 - Timestamp Request/Reply

•15/16 - Information Request/Reply

•A1 - Address Format Request

•A2 - Address Format Reply



Recommended Action:
Use the show outbound command to check outbound lists.

Log Message %PIX-2-106003: Connection denied src laddr dest faddr due to
JAVA Applet.

Explanation This is a connection-related message. This message is logged if JAVA filtering is enabled, and a JAVA applet is prevented from downloading to a user on the inside network.



Recommended Action:
Use the show outbound command to check outbound lists for JAVA access restrictions.

Log Message %PIX-2-106006: Deny inbound UDP from laddr/lport to faddr/fport

Explanation This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy.



Recommended Action:
None required.

Log Message %PIX-2-106007: Deny inbound UDP from faddr/fport to laddr/lport
due to DNS flag.

Explanation This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied. The flag variable is either Response or Query.



Recommended Action:
If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Set up a conduit for port 53. If the outside port number is 53, the most likely cause is that a DNS server was too slow to respond, and the query was already answered by another server.

Log Message %PIX-2-106009: Translation for src_addr to dest_addr/dport
denied by outbound (destination is denied) port

Explanation This is a connection-related message. This message is logged if the specified outbound list prevents an address translation request from being fulfilled. port may also be the ICMP message type (refer to message %PIX-2-106002 for a list of ICMP message type values).



Recommended Action:
Use the show outbound command to verify the outbound list.

Log Message %PIX-3-106010: Deny inbound from outside:IP_addr to
inside:IP_addr chars.

Explanation This is a connection-related message. This message is logged if an inbound connection is denied by your security policy.



Recommended Action:
None required.

Log Message %PIX-7-106011: Deny inbound (no xlate) chars

Explanation This is a connection-related message. This message occurs when a packet is sent to the same interface that it arrived on. This usually indicates that a security breach is occurring. When the PIX Firewall receives a packet, it tries to establish a translation slot based on the security policy you set with the global and conduit commands, and your routing policy set with the route command. Failing both policies, PIX Firewall allows the packet to flow from the higher priority network to a lower priority network, if it is consistent with the security policy. If a packet comes from a lower priority network and the security policy does not allow it, PIX Firewall routes the packet back to the same interface.

To provide access from an interface with a higher security to a lower security, use the nat and global commands. For example, use the nat command to let inside users access outside servers, to let inside users access perimeter servers, and to let perimeter users access outside servers.

To provide access from an interface with a lower security to higher security, use the static and conduit commands. For example, use the static and conduit commands to let outside users access inside servers, outside users access perimeter servers, or perimeter servers access inside servers.



Recommended Action:
Fix your configuration to reflect your security policy for handling these attack events.

Log Message %PIX-2-106012: Deny IP from IP_addr to IP_addr, IP options hex.

Explanation This is a connection-related message. A IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.



Recommended Action:
A security breach was probably attempted. Check the local site for loose source or strict source routing.

Log Message %PIX-2-106013: Dropping echo request from IP_addr to PAT
address IP_addr

Explanation This message is logged when the PIX Firewall discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet can not specify which PAT host should receive the packet.



Recommended Action:
None required.

Log Message %PIX-3-106014: Deny inbound icmp src interface name: IP_addr
dst interface name: IP_addr (type dec, code dec)

Explanation This message is logged when the PIX Firewall denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command.



Recommended Action:
None required.

Log Message %PIX-6-106015: Deny TCP (no connection) from IP_addr/port to
IP_addr/port flags.

Explanation This message is logged when the PIX Firewall discards a TCP packet that has no associated connection in the PIX Firewall unit's connection table. PIX Firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the PIX Firewall discards the packet.



Recommended Action:
None required unless the PIX Firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

Log Message %PIX-2-106016: Deny IP spoof from (IP_addr) to IP_addr

Explanation This message is logged when the PIX Firewall discards a packet with an invalid source address. Invalid sources addresses are those addresses belonging to (i) loopback network (127.0.0.0), (ii) broadcast (limited, net-directed, subnet-directed, and all-subnets-directed), or (iii) the destination host (land.c). Furthermore, if sysopt connection enforcesubnet is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the PIX Firewall and logs this message.

To further enhance spoof packet detection, use the conduit command to configure the PIX Firewall to discard packets with source addresses belonging to the internal network.



Recommended Action:
Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.

Log Message %PIX-2-106017: Packet contains ActiveX content and has been
modified src laddr dest to faddr

Explanation This message is logged after you turn on the activex option using the filter command, and the PIX Firewall detects an ActiveX object. The activex option allows the PIX Firewall to filter out ActiveX contents by modifying it so that it no longer is tagged as an HTML object.



Recommended Action:
None required.

Log Message %PIX-2-106018: ICMP packet type ICMP_type denied by outbound
list list_ID src laddr dest faddr

Explanation This message is logged because outgoing ICMP packet with type ICMP_type from local host lhost to foreign host fhost is denied by outbound list list_ID.



Recommended Action:
None required.

Log Message %PIX-2-108002: SMTP replaced chars: out src_addr in laddr data:
chars

Explanation This is a Mail Guard (SMTP) message. This message

RSS Twitter e-mail