- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MX - New syslog event not documented
Hi ,
We upgraded some network from MX15 to MX18 and we noticed a new syslog event generated by MXs : Firewall
May 4, 2023, 11:24:59 a.m.,"Cisco Meraki @ XXXXXXXXXX","<134>1 1683213899.478856202 XXXXXXXXX firewall src=XXXXXXXX dst=XXXXXX protocol=udp sport=47811 dport=1163 pattern: 1 all"
Haven't seen this mention in either the firmware changelogs nor the documentation : https://documentation.meraki.com/General_Administration/Monitoring_and_Reporting/Syslog_Server_Overv...
The MX Security Appliance supports sending four categories of messages/roles: Event Log, IDS Alerts, URLs, and Flows.
Cheers !
Solved! Go to solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update :
My case is closed and they updated the documentation :
Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:
948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all
The mystery is solved !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Isnt that the log when you enable logging at a firewall rule
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that 'flows' was replaced by 'firewall'
You still have ip flows start and ip flows end , but the syslog that contains the firewall rule name is now 'firewall'
I can't confirm in which MX version it changed
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interesting. It would be interesting to have a premade filter that filters out NAT events and only shows the wanted flow logging. it would be handy if the "pattern" bit would also mention the matched rule number to make it easier.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update :
My case is closed and they updated the documentation :
Note: In Firmware MX18.101 and newer, the syslog messages for "flows" has been changed to "firewall", "vpn_firewall", "cellular_firewall" or "bridge_anyconnect_client_vpn_firewall" depending on which rule was matched. Using the outbound flow as an example, the syslog message has been updated to this:
948136486.721741837 MX60 firewall src=192.168.10.254 dst=8.8.8.8 mac=00:18:0A:XX:XX:XX protocol=udp sport=9562 dport=53 pattern: allow all
The mystery is solved !
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm curious about that bridge_anyconnect_client_vpn_firewall. Since normally client VPN rules are in the regular firewall ruleset would that mean a group policy applied to a client vpn user or would this be a new area to place anyconnect VPN firewall rules?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good point ! I heard that they are going to bring lots of changes to the MX firewall in MX18.XXX.
