MX - New syslog event not documented

Solved
RaphaelL
Kind of a big deal
Kind of a big deal

MX - New syslog event not documented

Hi ,

 

We upgraded some network from MX15 to MX18 and we noticed a new syslog event generated by MXs : Firewall 

 

May 4, 2023, 11:24:59 a.m.,"Cisco Meraki @ XXXXXXXXXX","<134>1 1683213899.478856202 XXXXXXXXX firewall src=XXXXXXXX dst=XXXXXX protocol=udp sport=47811 dport=1163 pattern: 1 all"

 

Haven't seen this mention in either the firmware changelogs nor the documentation : https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

 

The MX Security Appliance supports sending four categories of messages/roles: Event Log, IDS Alerts, URLs, and Flows.

 

 


Cheers ! 

1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal

Update : 

 

My case is closed and they updated the documentation :

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:  

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

 

The mystery is solved !

View solution in original post

6 Replies 6
ww
Kind of a big deal
Kind of a big deal

RaphaelL
Kind of a big deal
Kind of a big deal

It seems that 'flows' was replaced by 'firewall'

 

You still have ip flows start and ip flows end , but the syslog that contains the firewall rule name is now 'firewall'

 

I can't confirm in which MX version it changed

GIdenJoe
Kind of a big deal
Kind of a big deal

Interesting.  It would be interesting to have a premade filter that filters out NAT events and only shows the wanted flow logging.  it would be handy if the "pattern" bit would also mention the matched rule number to make it easier.

RaphaelL
Kind of a big deal
Kind of a big deal

Update : 

 

My case is closed and they updated the documentation :

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:  

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

 

The mystery is solved !

GIdenJoe
Kind of a big deal
Kind of a big deal

I'm curious about that bridge_anyconnect_client_vpn_firewall.  Since normally client VPN rules are in the regular firewall ruleset would that mean a group policy applied to a client vpn user or would this be a new area to place anyconnect VPN firewall rules?

RaphaelL
Kind of a big deal
Kind of a big deal

Good point ! I heard that they are going to bring lots of changes to the MX firewall in MX18.XXX.

Get notified when there are additional replies to this discussion.