7-11
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter7 Configuring Access Rules
Guidelines and Limitations
Step8 (Optional) Logging is enabled by default. You can disable logging by unchecking the check box, or you
can change the logging level from the drop-down list. The default logging level is Informational.
Step9 (Optional) To add a source service (TCP, UDP, and TCP-UDP only) and a time range to your access rule
that specifies when traffic can be allowed or denied, click More Options to expand the list.If you want
to turn off this Management Access Rule, uncheck Enable Rule.
Add a source service in the Source Service field, or click the ellipsis (...) to browse for a service.
The destination service and source service must be the same. Copy and paste the destination Service
field to the Source Service field.
To configure the logging interval (if you enable logging and choose a non-default setting), enter a
value in seconds in the Logging Interval field.
To select a predefined time range for this rule, from the Time Range drop-down list, choose a time
range; or click the ellipsis (...) to browse for a time range. You can also specify additional time
constraints for the time range, such as specifying the days of the week or the recurring weekly
interval in which the time range will be active.
Step10 Click OK. The dialog box closes, and the Management Access rule is added.
Step11 Click Apply. The rule is saved in the running configuration.
Advanced Access Rule Configuration
The Advanced Access Rule Configuration dialog box lets you to set global access rule logging options.
When you enable logging, if a packet matches the access rule, the ASA creates a flow entry to track the
number of packets received within a specific interval. The ASA generates a system log message at the
first hit and at the end of each interval, identifying the total number of hits during the interval and
reporting the time of the last hit.
Note The ASApane displays the hit count information in the “last rule hit” row. To view the rule hit count and
timestamp, choose Configuration > Firewall > Advanced > ACL Manager, and hover the mouse
pointer over a cell in the ACL Manager table.
At the end of each interval, the ASA resets the hit count to 0. If no packets match the access rule during
an interval, the ASA deletes the flow entry.
A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption
of memory and CPU resources, the ASA places a limit on the number of concurrent deny flows; the limit
is placed only on deny flows (and not permit flows) because they can indicate an attack. When the limit
is reached, the ASA does not create a new deny flow until the existing flows expire. If someone initiates
a denial of service attack, the ASA can create a very large number of deny flows in a very short period
of time. Restricting the number of deny-flows prevents unlimited consumption of memory and CPU
resources.
Prerequisites
These settings only apply if you enable the newer logging mechanism for the access rule.
Fields
Maximum Deny-flows—The maximum number of deny flows permitted before the ASA stops
logging, between 1 and the default value. The default is 4096.