RSA Admin

CISCO PIX reporting problems

Discussion created by RSA Admin Employee on Feb 16, 2012
Latest reply on Feb 17, 2012 by RSA Admin

Hello,

 

I have a lot of problems with CISCO message parsing:

 

When I look at raw logs I can see eveything getting logged correctly. I haven't made a single change to default messages and/or whatever.

 

As far as I know I have newest version of enVision (4.1 patch 3 -> 4.1 build 370) and newest event saurces and VAM& signature updates.

 

The problem is as follows -> what is clearly logged as denyed traffic source Inside (aka outbound traffic) gets parsed as inbound whe source address not parsing correctly cause when I try to querry it with source adress I know from raw log it gets now data, and when I place source address from raw log to destination address in querry then I get the data I want.

 

Also in reports i can see only denied traffic in report Top 20 denied inbound by address with addresses from inside being shown as top 20 foreign addresses denied inbound access by PIX firewall.

PIX -Top 20 denied  outbound by address shows no data

 

How can I further troubleshoot this, report and or fix the problem?

Outcomes