mac-addresses
|
Concurrent
|
N/A
|
65,535
|
For transparent firewall mode, the number of MAC addresses allowed in the MAC address table.
|
conns
|
Concurrent or Rate
|
N/A
|
Concurrent connections: See the "Supported Platforms and Feature Licenses" section on page A-1 for the connection limit for your platform.
Rate: N/A
|
TCP or UDP connections between any two hosts, including connections between one host and multiple other hosts.
|
inspects
|
Rate
|
N/A
|
N/A
|
Application inspections.
|
hosts
|
Concurrent
|
N/A
|
N/A
|
Hosts that can connect through the adaptive security appliance.
|
asdm
|
Concurrent
|
1 minimum
5 maximum
|
32
|
ASDM management sessions.
Note
 ASDM sessions use two HTTPS connections: one for monitoring that is always present, and one for making configuration changes that is present only when you make changes. For example, the system limit of 32 ASDM sessions represents a limit of 64 HTTPS sessions. |
ssh
|
Concurrent
|
1 minimum
5 maximum
|
100
|
SSH sessions.
|
syslogs
|
Rate
|
N/A
|
N/A
|
System log messages.
|
telnet
|
Concurrent
|
1 minimum
5 maximum
|
100
|
Telnet sessions.
|
xlates
|
Concurrent
|
N/A
|
N/A
|
Address translations.
|
Monday, January 23, 2017
When configuring security contexts on the ASA which three resource class limits can be set using a rate limit
Which log level provides the most detail on the Cisco Web Security Appliance
| wsa01> advancedproxyconfig []> wccp Enter values for the various "wccp" options: Enter the log level for debugging WCCP : [0]> 3 |
On AsyncOS version 7.5 and above: The logging level for WCCP logs and/or proxy logs can be changed in GUI under "System Administration > Log Subscriptions > <Corresponding-WCCP-Log-Name>"
The logging levels will show the following data:
| 7.1 log level (CLI) | 7.5 Log level (GUI) | Information seen in logs at the configured log level |
| 0 | Critical | Errors |
| 1 | Warning | Errors, CONFIG, |
| 2 | Information | Errors, CONFIG, INFO |
| 3 | Debug |
Errors, CONFIG, INFO, STATE
|
| 4 | Trace | Errors, CONFIG, INFO, STATE, CHANGE (state changes) |
Dynamic Arp Inspection (DAI)
Configuring DAI
First check state of DHCP snooping table.
Example of IP arp inspection configured on VLAN 123. Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.
First check state of DHCP snooping table.
Example of IP arp inspection configured on VLAN 123. Arp access control list OUR-ARP-ACL is configured for the port where router is connected and is trusted
Port 2 where an attacker is configured as untrusted port, rate limited. It is policed and err-disabled if violated.
Example of an CAM poisoning attack and ping sweep causing port to err-disable,. Additional validation of source, destination and IP address to increase security.
\
Friday, January 20, 2017
Why isn’t the syslog server receiving any syslog messages from ASA
If the logging filters is disabled for the syslog servers then syslog messages wlll not get send to the syslog server even it is enabled globally and syslog servers are specified.
To apply filters, perform the following steps:
1. Choose the Filter on severity option to filter syslog messages according to their severity level.
2. Choose the Use event list option to filter syslog messages according to an event list.
3. Choose the Disable logging from all event classes option to disable all logging to the selected destination.
4. Click New to add a new event list. To add a new event list, see the “Creating a Custom Event List”.
5. Choose the event class from the drop-down list. Available event classes change according to the device mode that you are using.
6. Choose the level of logging messages from the drop-down list. Severity levels include the following:
• Emergency (level 0, system is unusable)
Note Using a severity level of zero is not recommended.
• Alert (level 1, immediate action is needed)
• Critical (level 2, critical conditions)
• Error (level 3, error conditions)
• Warning (level 4, warning conditions)
• Notification (level 5, normal but significant conditions)
• Informational (level 6, informational messages only)
• Debugging (level 7, debugging messages only)
7. Click Add to add the event class and severity level, and then click OK.
The selected logging destination for a filter appears at the top.
Tuesday, January 17, 2017
ASA Active/Active failover
ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Both firewall must be in same operating mode, context mode, and same major and minor software versions.
Two contexts named Ctx-1 and Ctx-2 are used. Ctx-1 is the admin context
admin-context Ctx-1
context Ctx-1
allocate-interface GigabitEthernet0
allocate-interface GigabitEthernet1
config-url disk0:/Ctx-1.cfg
join-failover-group 1
!
context Ctx-2
allocate-interface GigabitEthernet1
allocate-interface GigabitEthernet2
config-url disk0:/Ctx-2.cfg
join-failover-group 2
!
Primary Active ASA configuration:
failover group 1
preempt 120
failover group 2
secondary
preempt 120
failover lan unit primary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
Similarly to the primary, ASA in routed and multiple context mode. ASA must be similar in hardware and configuration for ACTIVE/ACTIVE failover. Ensure that no context configuration (CFG) files exist otherwise running config file is merged with existing
In system context, "no shut" the interfaces used for failover.
Secondary Active ASA configuration:
failover lan unit secondary
failover lan interface fail-config GigabitEthernet3
failover link fail-state GigabitEthernet4
failover interface ip fail-config 1.1.1.1 255.255.255.252 standby 1.1.1.2
failover interface ip fail-state 2.2.2.1 255.255.255.252 standby 2.2.2.2
failover
In system space, allocate interfaces to the contexts, "no shut" the interfaces. Chnage the prompt to display the current context and priority
prompt hostname context priority
Once secondary ASA is found, the configuration is replicated to the secondary ASA from the primary. Any new changed needs to be made on the primary firewall.
ASA1/sec> .
Detected an Active mate
Beginning configuration replication from mate.
ERROR: Password recovery was not changed, unable to access
the configuration register.
Removing context 'Ctx-2' (2)... Done
Removing context 'Ctx-1' (1)... Done
COREDUMP UPDATE: open message queue fail: No such file or directory/2
INFO: Admin context is required to get the interfaces
Creating context 'Ctx-1'... Done. (3)
WARNING: Skip fetching the URL disk0:/Ctx-1.cfg
INFO: Creating context with default config
INFO: Admin context will take some time to come up .... please wait.
Creating context 'Ctx-2'... Done. (4)
WARNING: Skip fetching the URL disk0:/Ctx-2.cfg
INFO: Creating context with default config
Crashinfo is NOT enabled on Full Distribution Environment
Group 1 Detected Active mate
Group 2 Detected Active mate
End configuration replication from mate.
INFO: UC-IME is enabled, issuing 1000 free TLS licenses for UC-IME
INFO: Issuing "tls-proxy maximum-sessions 11000" command due to license change
INFO: UC proxy will be limited to maximum of 10000 sessions by the UC Proxy license on the device
INFO: "tls-proxy maximum-sessions" config is changed, please save the running-config before system reboot
Subscribe to:
Posts (Atom)