CLI: Example for Outputting Packet Loss Logs to a Third-Party Log Host
This section provides an example for configure the FW to output packet loss logs to log hosts.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network border. The network environment is as follows:
- The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by the FW.
- The DMZ has two eLog servers.
The FW is required to send packet loss information as syslogs to the eLog servers. The administrator can view and analyze packet loss information on the eLog servers. The log concurrent function is required, so that each log can be sent to both eLog servers.
Configuration Roadmap
This example provides only the FW configuration. For the eLog server configuration, see the eLog server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure security policies.
- Configure a NAT policy.
- Configure routes.
- Configure the output format of packet loss logs.
- Configure log hosts.
- Enable the function of sending packet loss logs.
- Enable the log concurrent function and configure the source IP address and source port.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GE0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 192.168.0.1 24 [FW-GigabitEthernet 0/0/1] quit
# Configure an IP address for GE0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 172.16.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Configure an IP address for GE0/0/3.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet 0/0/3] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/3] quit
# Add GE0/0/1 1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GE0/0/2 to the DMZ.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
# Add GE0/0/3 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/3 [FW-zone-untrust] quit
- Configure security policies.
# Configure a Trust-Untrust interzone security policy.
[FW] security-policy [FW-policy-security] rule name trust_untrust [FW-policy-security-rule-trust_untrust] source-zone trust [FW-policy-security-rule-trust_untrust] destination-zone untrust [FW-policy-security-rule-trust_untrust] source-address 192.168.0.0 24 [FW-policy-security-rule-trust_untrust] action permit [FW-policy-security-rule-trust_untrust] quit
- Configure a NAT policy.
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address ranges from 1.1.1.10 to 1.1.1.1.5.
[FW] nat address-group add1 [FW-address-group-add1] mode pat [FW-address-group-add1] section 0 1.1.1.10 1.1.1.1.5 [FW-address-group-add1] route enable [FW-address-group-add1] quit
# Configure a NAT policy.
[FW] nat-policy [FW-policy-nat] rule name policy1 [FW-policy-nat-rule-policy1] source-zone trust [FW-policy-nat-rule-policy1] destination-zone untrust [FW-policy-nat-rule-policy1] source-address 192.168.0.0 24 [FW-policy-nat-rule-policy1] action source-nat address-group add1 [FW-policy-nat-rule-policy1] quit [FW-policy-nat] quit
- Configure routes.
# Configure a default route. In this example, the next hop of the FW to the Internet is 1.1.1.2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 - Configure the output format of packet loss logs.
[FW] firewall log session log-type syslog - Configure log hosts. Packet loss information is recorded in the syslog format.
[FW] firewall log host 1 172.16.0.2 514 [FW] firewall log host 2 172.16.0.3 514
- Enable the function of sending packet loss logs.
[FW] firewall log packet-discard enable [FW] firewall log packet-discard default-packet-filter [FW] firewall log packet-discard packet-filter [FW] firewall log packet-discard session-miss [FW] firewall log packet-discard ip-mac [FW] firewall log packet-discard others
- If session-miss is specified, the FW sends a log when a packet does not match any session entry.
- If packet-filter is specified, the FW sends a log when a packet is discarded because the packet fails to pass a security policy.
- If default-packet-filter is specified, the FW sends a log when a packet is discarded because of default packet filtering.
- If ip-mac is specified, the FW sends a log when a packet is discarded because the packet fails to match an IP-MAC binding entry. To display such logs, enable the IP-MAC binding function. For details about how to enable this function, see IP-MAC Binding.
- If others is specified, the FW sends a log when other types of packets are discarded.
IPv6 packet discard logs do not support others type.
- Enable the log concurrent function and configure the source IP address and source port.
[FW] firewall log session multi-host-mode concurrent [FW] firewall log source 172.16.0.1 6000
Configuration Script
# sysname FW # firewall log session multi-host-mode concurrent firewall log packet-discard enable firewall log packet-discard packet-filter firewall log packet-discard default-packet-filter firewall log packet-discard ip-mac firewall log packet-discard other firewall log host 1 172.16.0.2 514 firewall log host 2 172.16.0.3 514 firewall log source 172.16.0.1 6000 firewall log session log-type syslog # nat address-group add1 0 mode pat route enable section 0 1.1.1.10 1.1.1.1.5 # interface GigabitEthernet 0/0/1 undo shutdown ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name trust_untrust session logging source-zone trust destination-zone untrust source-address 192.168.0.0 24 action permit # nat-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 24 action source-nat address-group add1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # return