Submit a ticketCall us

Training ClassThe Orion® Platform Instructor-led Classes

Provided by SolarWinds® Academy, these trainings will introduce users to the Orion Platform and its features, management, and navigation. These courses are suitable for users looking to discover new tips, tricks, and ways to adapt their Orion products to better suit their monitoring needs:
Deploying the Orion Platform
Configuring Orion views, maps, and accounts
Configuring Orion alerts and reports

Reserve your seat.

Home > Success Center > Log & Event Manager (LEM) > LEM - Knowledgebase Articles > Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events

Enable LEM to Track Cisco Firewall NAT Buildup and Teardown Events

Created by Interspire Import, last modified by Nigel on Oct 09, 2018

Views: 1,401 Votes: 1 Revisions: 9


Tracking buildup events

Out of the box, LEM captures events 302003, 302009, and 603108.

LEM can be configured to capture Cisco firewall buildup events, too. The primary buildup event to use for TCP tracking is 302013. Other buildup events include 302015, 302017, 302020, 302303, 305009, 305011, and 609011. Check the descriptions of these events in the Cisco System Log Messages Guide to make sure those are events you want to capture.

Tracking teardown events

Out of the box, LEM captures event 603019.

You can also enable LEM to capture teardown NAT events. The teardown sibling to buildup even 302013 is 302014. Other events include 302016, 302018, 302021, 302304, 305010, 305012, 617100, and 609002. You can also descriptions of these events in the Cisco System Log Messages Guide to make sure they are ones you want to capture.


All LEM versions


To enable the latest LEM connector to capture buildup/teardown NAT events:

  1. Ensure your firewalls are configured to log to LEM and that the appropriate LEM connector is configured to monitor for your firewall data. You may also need the CiscoFirewalls_buildup_teardown custom connector, which you can get by logging a support ticket with Solarwinds.
  2. Access the firewalls you will monitor buildup/teardown messages from and adjust the severity level of those events from 6 (the default) to 0. For more information about changing the severity level of an ASA message, check the Cisco ASA Guides.


A few things to consider include:

  • To monitor "accepted traffic," use the log target in your accept ACLs instead of the buildup logging. This lets you control what accepted traffic you are made aware of.
  • To monitor the information about the actual NAT, consider the event load this will create. Plan a test phase where you turn it on, determine if it is valuable to you for investigating (try some test scenarios), and then turn it off if you determine its value.
  • Consider the nDepth original log message store, if you are interested in unmodified log data (versus the normalized data). Note that this consumes disk space.
  • Consider whether you need both buildups and teardowns. The teardown NAT messages include the same information as the built messages, along with some duration and size information that may or may not be useful. A lot of colleges and universities that are using the built messages do not rely on the teardown messages, they only need to know a connection was established for verification/analysis/correlation.
  • Check the syslog data to determine which buildup and/or teardown events are of use.
Last modified