Re: vShield App Syslog Issues

AbhishekB · ‎07-22-2012

Hi,

I have set up a new vShield App on a 2 host vSphere 5.0.1 cluster & have installed vShield Mgr 5.0.1 & setup the firewall VM's for both the hosts in my cluster & am in the process of evaluating the App product for my customer's security requirements. I start by evaluating some very basic rules such as block/ allow ICMP traffic for a protected VM, allow traffic on a certain port only and block everything else, use of zones etc.

The rules seem to function okay however the syslog function seem to be out of place a little bit or may be it's my understanding that needs to be improved. So, here's what's happening......As soon as i block or allow a certain traffic and look at my syslog server i see a bunch of messages stating that something has changed on the firewall followed by a warning message stating a block or allow of a packet & then let's say if i continue to ping my VM for a block ICMP rule i see no further packet drops being logged. (logging is set to info) Now, as soon as i change this rule to allow, i see another change in the syslog with a bunch of messges and then a warning message stating allow and then nothing...no packet level info after that.

So, unless i change the behaviour to allow or block i dont see any packet information..the only packet information i see is a warning stating allow or block when i change the rule. Is this default vShield App syslog behaviour or am i missing something? I have tried to read the admin guide, quick start guide and they do not have much information on it.

Can someone please guide me on this??

Thanks!

Abhi

termita_kaesar · ‎07-23-2012

Hi,

Does you configure the syslog server in each vshield App? In my case, this feature work fine!

You must configure the syslog server in each vshield App, I Think that you only configure in vshield Console

Go to administrative web and in each host, in tab "summary", you can configurated this options.

Cesar Garcia Descom, SL

AbhishekB · ‎07-23-2012

@ Termita: Yes, i have configured ths syslog server in each ESX host's vShield tab syslog option and set it to info however the real problem is not with the syslog configuration...the problem is that i am not seeing a per packet logging when the firewall drops or allows a packet such as ICMP. In your testing or configuration, are you seeing a per packet result in your syslog server?

termita_kaesar · ‎07-23-2012

Yes, for example:

ul 23 13:57:18 localhost kernel: VMWALL_L3 -(2286-DROP)- IN=u0 OUT=p0 SRC=******* DST=******* LEN=576 TOS=0x00 PREC=0x00 TTL=56 ID=9077 PROTO=ICMP TYPE=3 CODE=1 [SRC=******* DST=******* LEN=1492 TOS=0x00 PREC=0x00 TTL=47 ID=3408 DF PROTO=TCP SPT=143 DPT=50285 WINDOW=108 RES=0x00 ACK URGP=0 ]

Jul 23 13:57:18 localhost kernel: VMWALL_L3 -(2286-DROP)- IN=u0 OUT=p0 SRC=******* DST=******* LEN=576 TOS=0x00 PREC=0x00 TTL=56 ID=9078 PROTO=ICMP TYPE=3 CODE=1 [SRC=******* DST=******* LEN=1492 TOS=0x00 PREC=0x00 TTL=47 ID=3409 DF PROTO=TCP SPT=143 DPT=50285 WINDOW=108 RES=0x00 ACK URGP=0 ]

Jul 23 13:57:18 localhost kernel: VMWALL_L3 -(2286-DROP)- IN=u0 OUT=p0 SRC=******* DST=******* LEN=576 TOS=0x00 PREC=0x00 TTL=56 ID=9079 PROTO=ICMP TYPE=3 CODE=1 [SRC=******* DST=******* LEN=1492 TOS=0x00 PREC=0x00 TTL=47 ID=3410 DF PROTO=TCP SPT=143 DPT=50285 WINDOW=108 RES=0x00 ACK URGP=0 ]

And I use this logs for tracert the new policies, before of drop traffic.

In my case, only must configure my syslog server, open 514 port, configure each host app and configure a filter with log.

Beetwen yours fw app and syslog server, have connectivity? try a ping. Is your syslog server a virtual machine? try exclude the syslog server of the vshield app.

But must work.

Cesar Garcia Descom, SL

AbhishekB · ‎07-23-2012

@ Termita:

In my case, only must configure my syslog server, open 514 port, configure each host app and configure a filter with log. - Done & same problem

Beetwen yours fw app and syslog server, have connectivity? try a ping. - yes they do

Is your syslog server a virtual machine? try exclude the syslog server of the vshield app.- No, not a VM

termita_kaesar · ‎07-24-2012

You must do a tracert to traffic, see if the vshield app try connect to syslog server, with tcpdump, ...

Perhaps you must try sincronize the vshield app or perhaps you must reinstall it.

I have the version of vshield: 5.0.1-638924

Cesar Garcia Descom, SL

AbhishekB · ‎07-24-2012

@termita: Thank you!

I have the same version, the sync also has been tried multiple times and no change. I am going to work on tracert to see if i find something there. I also have a call scheduled with VMware team on 08/01. Will keep you posted on the outcome and resultion.

thanks again!

All

vShield App Syslog Issues