Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

20-15

Cisco ASDM User Guide

OL-16647-01

Chapter 20 Configuring Access Rules and EtherType Rules

Configuring Access Rules

The Log option consumes a certain amount of memory when enabled. To help control the risk of a

potential Denial of Service attack, you can configure the Maximum Deny-flow setting by choosing

Advanced in the Access Rules window.

Fields

• Use default logging behavior—Uses the older access rule logging mechanism: the security

appliance logs system log message number 106023 when a packet is denied. Use this option to return

to the default setting.

• Enable logging for the rule—Enables the newer access rule logging mechanism: the security

appliance logs system log message number 106100 when a packet matches the access rule (either

permit or deny).

If a packet matches the access rule, the security appliance creates a flow entry to track the number

of packets received within a specific interval (see the Logging Interval field that follows). The

security appliance generates a system log message at the first hit and at the end of each interval,

identifying the total number of hits during the interval. At the end of each interval, the security

appliance resets the hit count to 0. If no packets match the access rule during an interval, the security

appliance deletes the flow entry.

–

Logging Level—Selects the level of logging messages to be sent to the syslog server from this

drop-down list. Levels are defined as follows:

Emergency (level 0)—The security appliance does not use this level.

Alert (level 1, immediate action needed)

Critical (level 2, critical condition)

Error (level 3, error condition)

Warning (level 4, warning condition)

Notification (level 5, normal but significant condition)

Informational (level 6, informational message only)

Debugging (level 7, appears during debugging only)

–

Logging Interval—Sets the amount of time in seconds (1-600) the security appliance waits

before sending the flow statistics to the syslog. This setting also serves as the timeout value for

deleting a flow if no packets match the access rule. The default is 300 seconds.

• Disable logging for the rule—Disables all logging for the access rule.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• • • • —

previous next