Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX - New syslog event not documented

Solved
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 4 2023 8:54 AM
‎May 4 2023 8:54 AM

MX - New syslog event not documented

Hi ,

 

We upgraded some network from MX15 to MX18 and we noticed a new syslog event generated by MXs : Firewall 

 

May 4, 2023, 11:24:59 a.m.,"Cisco Meraki @ XXXXXXXXXX","<134>1 1683213899.478856202 XXXXXXXXX firewall src=XXXXXXXX dst=XXXXXX protocol=udp sport=47811 dport=1163 pattern: 1 all"

 

Haven't seen this mention in either the firmware changelogs nor the documentation : https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

 

The MX Security Appliance supports sending four categories of messages/roles: Event Log, IDS Alerts, URLs, and Flows.

 

 


Cheers ! 

Subscribe
1 Accepted Solution
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 11 2023 4:52 AM
‎May 11 2023 4:52 AM

Update : 

 

My case is closed and they updated the documentation :

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:  

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

 

The mystery is solved !

View solution in original post

Subscribe
6 Replies 6
ww
Kind of a big deal
Kind of a big deal
‎May 4 2023 9:20 AM
‎May 4 2023 9:20 AM

Isnt that the log when you enable logging at a firewall rule

 

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Subscribe
In response to ww
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 4 2023 10:12 AM
‎May 4 2023 10:12 AM

It seems that 'flows' was replaced by 'firewall'

 

You still have ip flows start and ip flows end , but the syslog that contains the firewall rule name is now 'firewall'

 

I can't confirm in which MX version it changed

Subscribe
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 5 2023 3:35 AM
‎May 5 2023 3:35 AM

Interesting.  It would be interesting to have a premade filter that filters out NAT events and only shows the wanted flow logging.  it would be handy if the "pattern" bit would also mention the matched rule number to make it easier.

Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 11 2023 4:52 AM
‎May 11 2023 4:52 AM

Update : 

 

My case is closed and they updated the documentation :

https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...

Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:  

948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all

 

The mystery is solved !

Subscribe
In response to RaphaelL
GIdenJoe
Kind of a big deal
Kind of a big deal
‎May 11 2023 1:22 PM
‎May 11 2023 1:22 PM

I'm curious about that bridge_anyconnect_client_vpn_firewall.  Since normally client VPN rules are in the regular firewall ruleset would that mean a group policy applied to a client vpn user or would this be a new area to place anyconnect VPN firewall rules?

0 Kudos
Subscribe
In response to GIdenJoe
RaphaelL
Kind of a big deal
Kind of a big deal
‎May 11 2023 3:32 PM
‎May 11 2023 3:32 PM

Good point ! I heard that they are going to bring lots of changes to the MX firewall in MX18.XXX.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.