Cisco Systems OL-16647-01 Log Options

20-14

Cisco ASDM User Guide

OL-16647-01

Chapter 20 Configuring Access Rules and EtherType Rules

Configuring Access Rules

total number of hits during the interval. At the end of each interval, the security appliance resets the hit

count to 0. If no packets match the access rule during an interval, the security appliance deletes the flow

entry.

A large number of flows can exist concurrently at any point of time. To prevent unlimited consumption

of memory and CPU resources, the security appliance places a limit on the number of concurrent deny

flows; the limit is placed only on deny flows (and not permit flows) because they can indicate an attack.

When the limit is reached, the security appliance does not create a new deny flow until the existing flows

expire. If someone initiates a denial of service attack, the security appliance can create a very large

number of deny flows in a very short period of time. Restricting the number of deny-flows prevents

unlimited consumption of memory and CPU resources.

For more information about access rules, see the “Information About Access Rules and EtherType

Rules” section on page 20-1.

Prerequisites

These settings only apply if you enable the newer logging mechanism for the access control entry (also

known as a rule) for the access rule. See Log Options for more information.

Fields

• Maximum Deny-flows—The maximum number of deny flows permitted before the security

appliance stops logging, between 1 and the default value. The default is 4096.

• Alert Interval—The amount of time (1-3600 seconds) between system log messages (number

106101) that identify that the maximum number of deny flows was reached. The default is 300

seconds.

• Per User Override table—Specifies the state of the per user override feature. If the per user override

feature is enabled on the inbound access rule, the access rule provided by a RADIUS server replaces

the access rule configured on that interface. If the per user override feature is disabled, the access

rule provided by the RADIUS server is combined with the access rule configured on that interface.

If the inbound access rule is not configured for the interface, per user override cannot be configured.

Modes

The following table shows the modes in which this feature is available:

Log Options

The Log Options dialog box lets you set logging options for each access rule. See the “Advanced Access

Rule Configuration” section on page 20-13 to set global logging options.

This dialog box lets you use the older logging mechanism (only denied traffic is logged), to use the newer

logging mechanism (permitted and denied traffic is logged, along with additional information such as

how many packet hits), or to disable logging.

Firewall Mode Security Context

Routed Transparent Single

Multiple

Context System

• • • • —