Submit a ticketCall us

Welcome to the NEW Success Center. Search all resources (documentation, videos, training, knowledge base articles) or browse resources by product. If you are unable to find what you are looking for, please contact us at customersuccess@solarwinds.com

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events

Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events

Overview

Tracking buildup events

Out of the box, LEM captures events 302003, 302009, and 603108.

LEM can be configured to capture Cisco firewall buildup events, too. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the descriptions of these events in the Cisco System Log Messages Guide to make sure those are events you want to capture.

Tracking teardown events

Out of the box, LEM captures event 603019.

You can also enable LEM to capture teardown NAT events. The teardown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can also descriptions of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture.

Environment

All LEM versions

Steps

To enable the latest LEM connector to capture buildup/teardown NAT events:

  1. Ensure your firewalls are configured to log to LEM and that the appropriate LEM connector is configured to monitor for your firewall data.
  2. Access the firewalls you will monitor buildup/teardown messages from and adjust the severity level of those events from 6 (the default) to 0. For more information about changing the severity level of an ASA message, check the Cisco ASA Guides.

Considerations

A few things to consider include:

  • To monitor "accepted traffic," use the log target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you are made aware of.
  • To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on, determine if it is valuable to you for investigating (try some test scenarios), and then turn it off if you determine its value.
  • Consider the nDepth original log message store, if you are interested in unmodified log data (versus the normalized data). Note that this consumes disk space.
  • Consider whether you need both buildups and teardowns. The teardown NAT messages include the same information as the built messages, along with some duration and size information that may or may not be useful. A lot of colleges and universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
  • Check the syslog data to determine which buildup and/or teardown events are of use.
Last modified
14:37, 13 Nov 2015

Tags

Classifications

Public