Logging for Access Control Lists

This chapter describes how to configure ACL logging for extended ACLs and Webytpe ACLs, and it describes how to manage deny flows.

This chapter includes the following sections:

Configuring Logging for ACLs

This section includes the following topics:

Information About Logging ACL Activity

By default, when traffic is denied by an extended ACE or a Webtype ACE, the ASA generates syslog message 106023 for each denied packet in the following form:

%ASA|PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_id
 

If the ASA is attacked, the number of syslog messages for denied packets can be very large. We recommend that you instead enable logging using syslog message 106100, which provides statistics for each ACE and enables you to limit the number of syslog messages produced. Alternatively, you can disable all logging.

Note Only ACEs in the ACL generate logging messages; the implicit deny at the end of the ACL does not generate a message. If you want all denied traffic to generate messages, add the implicit ACE manually to the end of the ACL, as shown in the following example:

ciscoasa(config)# access-list TEST deny ip any any log
 

 

The log options at the end of the extended access-list command enable you to set the following behavior:

  • Enable message 106100 instead of message 106023
  • Disable all logging
  • Return to the default logging using message 106023

Syslog message 106100 uses the following form:

%ASA|PIX-n-106100: access-list acl_id {permitted | denied} protocol interface_name/source_address(source_port) -> interface_name/dest_address(dest_port) hit-cnt number ({first hit | number-second interval})
 

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA generates a syslog message at the first hit and at the end of each interval, identifying the total number of hits during the interval and the timestamp for the last hit. At the end of each interval, the ASA resets the hit count to 0. If no packets match the ACE during an interval, the ASA deletes the flow entry.

A flow is defined by the source and destination IP addresses, protocols, and ports. Because the source port might differ for a new connection between the same two hosts, you might not see the same flow increment because a new flow was created for the connection. See the Managing Deny Flows to limit the number of logging flows.

Permitted packets that belong to established connections do not need to be checked against ACLs; only the initial packet is logged and included in the hit count. For connectionless protocols, such as ICMP, all packets are logged, even if they are permitted, and all denied packets are logged.

See the syslog messages guide guide for detailed information about this syslog message.

Licensing Requirements for ACL Logging

The following table shows the licensing requirements for this feature:

 

Model
License Requirement

ASAv

Standard or Premium License.

All other models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

ACE logging generates syslog message 106023 for denied packets. A deny ACE must be present to log denied packets.

Default Settings

Table 25-1 lists the default settings for extended ACL parameters.

 

Table 25-1 Default Extended ACL Parameters

Parameters
Default

log

When the log keyword is specified, the default level for syslog message 106100 is 6 (informational), and the default interval is 300 seconds.

Configuring ACL Logging

This sections describes how to configure ACL logging.

Note For complete ACL command syntax, see the Configuring Extended ACLs and the Using Webtype ACLs.

To configure logging for an ACE, enter the following command:

 

Command
Purpose
access-list access_list_ name [ extended ] {deny | permit}... [ log [[ level ] [ interval secs ] | disable | default ]]
 
ciscoasa(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
 

Configures logging for an ACE.

The access-list access_list_name syntax specifies the ACL for which you want to configure logging.

The extended option adds an ACE.

The deny keyword denies a packet if the conditions are matched. Some features do not allow deny ACEs, such as NAT. (See the command documentation for each feature that uses an ACL for more information.)

The permit keyword permits a packet if the conditions are matched.

If you enter the log option without any arguments, you enable syslog message 106100 at the default level (6) and for the default interval (300 seconds). See the following options:

  • level —A severity level between 0 and 7. The default is 6.
  • interval secs —The time interval in seconds between syslog messages, from 1 to 600. The default is 300. This value is also used as the timeout value for deleting an inactive flow.
  • disable —Disables all ACL logging.
  • default —Enables logging to message 106023. This setting is the same as having no log option.

(See the access-list command in the Cisco Security Appliance Command Reference for more information about command options.)

Monitoring ACLs

To monitor ACLs, enter one of the following commands:

 

Command
Purpose
show access-list

Displays the ACL entries by number.
show running-config access-list

Displays the current running ACL configuration.

Configuration Examples for ACL Logging

This section includes sample configurations for logging ACLs.

You might configure the following ACL:

ciscoasa(config)# access-list outside-acl permit ip host 1.1.1.1 any log 7 interval 600
ciscoasa(config)# access-list outside-acl permit ip host 2.2.2.2 any
ciscoasa(config)# access-list outside-acl deny ip any any log 2
ciscoasa(config)# access-group outside-acl in interface outside
 

When the first ACE of outside-acl permits a packet, the ASA generates the following syslog message:

%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit)
 

Although 20 additional packets for this connection arrive on the outside interface, the traffic does not have to be checked against the ACL, and the hit count does not increase.

If one or more connections by the same host are initiated within the specified 10-minute interval (and the source and destination ports remain the same), then the hit count is incremented by 1, and the following syslog message displays at the end of the 10-minute interval:

%ASA|PIX-7-106100: access-list outside-acl permitted tcp outside/1.1.1.1(12345)-> inside/192.168.1.1(1357) hit-cnt 2 (600-second interval)
 

When the third ACE denies a packet, the ASA generates the following syslog message:

%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 1 (first hit)
 

If 20 additional attempts occur within a 5-minute interval (the default), the following syslog message appears at the end of 5 minutes:

%ASA|PIX-2-106100: access-list outside-acl denied ip outside/3.3.3.3(12345) -> inside/192.168.1.1(1357) hit-cnt 21 (300-second interval)
 

Feature History for ACL Logging

Table 25-2 lists the release history for this feature.

 

Table 25-2 Feature History for ACL Logging
Feature Name
Releases
Feature Information

ACL logging

7.0(1)

You can enable logging using syslog message 106100, which provides statistics for each ACE and lets you limit the number of syslog messages produced.

We introduced the following command: access-list.

ACL Timestamp

8.3(1)

The ASA reports the timestamp for the last access rule hit.

Managing Deny Flows

This section includes the following topics:

Information About Managing Deny Flows

When you enable logging for message 106100, if a packet matches an ACE, the ASA creates a flow entry to track the number of packets received within a specific interval. The ASA has a maximum of 32 K logging flows for ACEs. A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption of memory and CPU resources, the ASA places a limit on the number of concurrent deny flows; the limit is placed on deny flows only (not on permit flows) because they can indicate an attack. When the limit is reached, the ASA does not create a new deny flow for logging until the existing flows expire.

For example, if someone initiates a DoS attack, the ASA can create a large number of deny flows in a short period of time. Restricting the number of deny flows prevents unlimited consumption of memory and CPU resources.

When you reach the maximum number of deny flows, the ASA issues syslog message 106100:

%ASA|PIX-1-106101: The number of ACL log deny-flows has reached limit (number).
 

The access-list alert-interval command sets the time interval for generating syslog message 106001. Syslog message 106001 alerts you that the ASA has reached a deny flow maximum. When the deny flow maximum is reached, another syslog message 106001 is generated if at least six seconds have passed since the last 106001 message was generated.

Licensing Requirements for Managing Deny Flows

The following table shows the licensing requirements for this feature:

 

Model
License Requirement

All models

Base License.

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

Supported in single and multiple context mode.

Firewall Mode Guidelines

Supported only in routed and transparent firewall modes.

IPv6 Guidelines

Supports IPv6.

Additional Guidelines and Limitations

The ASA places a limit on the number of concurrent deny flows only—not permit flows.

Default Settings

Table 25-1 lists the default settings for managing deny flows.

 

Table 25-3 Default Parameters for Managing Deny Flows

Parameters
Default

numbers

The numbers argument specifies the maximum number of deny flows. The default is 4096.

secs

The secs argument specifies the time, in seconds, between syslog messages. The default is 300.

Managing Deny Flows

To configure the maximum number of deny flows and to set the interval between deny flow alert messages (106100), enter the following command:

 

Command
Purpose
access-list deny-flow-max number
 
ciscoasa(config)# access-list deny-flow-max 3000
 

Sets the maximum number of deny flows.

The numbers argument specifies the maximum number, which can be between 1 and 4096. The default is 4096.

To set the amount of time between syslog messages (number 106101), which identifies that the maximum number of deny flows was reached, enter the following command:

 

Command
Purpose
access-list alert-interval secs
 
ciscoasa(config)# access-list alert-interval 200

Sets the time, in seconds, between syslog messages.

The secs argument specifies the time interval between each deny flow maximum message. Valid values are from 1 to 3600 seconds. The default is 300 seconds.

Monitoring Deny Flows

To monitor ACLs, enter one of the following commands:

 

Command
Purpose
show access-list

Displays access list entries by number.
show running-config access-list

Displays the current running ACL configuration.

Feature History for Managing Deny Flows

Table 25-2 lists the release history for this feature.

 

Table 25-4 Feature History for Managing Deny Flows
Feature Name
Releases
Feature Information

Managing Deny Flows

7.0(1)

You can configure the maximum number of deny flows and set the interval between deny flow alert messages.

We introduced the following commands: access-list deny-flow and access-list alert-interval.