Screen OS

We get recently a SSG5 , but we haven't switched to the default gateway since I have still one concern.

Is it possible to deny all traffic when the syslog server is down?

Certainly I need to configure a TCP syslog serve, however I would like to deny all traffic when the SSG5 is unable to write logs at the syslog server.

Thanks in advance!

Probably I answered the question  by myself.

Currently I have the syslog server as UDP defined.....

Deratze,

That's a little odd behavior.. You would like to block all network traffic if the firewall is unable to log to the syslog?

I am not aware of any way to do that. You *could* write a script on the syslog server that if it loses communication to the firewall (I.E if you see no messages for X amount of time) then it could log into the firewall and add a deny rule..

Beyond that I think the behavior you're looking for is not possible out of the box on your SSG. By all means feel free to give JTAC a call and ask them but I am personally not aware of anything like that. 

 Good luck,

-Tim Eberhard

Tim,

To write a script which which adds a deny rule whould be a possible solution.

But I don't think that my request is a odd behavior.

We want to log all traffic which goes outside to the internet and if the syslog server is down there is a good chance that me miss some traffic in the logs.

So from my point of view you can simply DOS or power off the syslog server to cirmcumvent the log behavior, and there is no way to proof after this which box or user has accessed a specifc IP adress.

Well certainly you can cluster the syslog server or you can do other ways around this, as you mentioned.

But I think it would be a good feature to deny traffic at least to untrust if the syslog server is down.

Here's one extreme idea that may work depending on the number of interfaces being used...

If your syslog server is located in the Trust Zone, off bgroup0, then what you can do is setup monitor track-ip from the bgroup0 IP to the syslog server.  If the pings from bgroup0 IP to the syslog server fails, then bgroup0 interface will change to a DOWN state.

Of course, if you have other interfaces in the "Trust" zone then those interfaces will not be affected.  Also, you can't monitor an IP address located in the trust zone from one of the untrust or dmz interfaces...

As mentioned already, a script might be a solution.  Perhaps another server checking the health of the syslog server.  If the syslog is unreachable, then SSH to the firewall and apply the deny all policy.

good luck...

I consider the script that the set the deny rule as my workarround.

Thanks for that hint.

Hi,

This command will do the trick

set log audit-loss-mitigation

Stops generation of auditable events when the number of such
events exceeds the capacity of the security device. Enabling this
feature reduces the loss of event logs due to log overloads.
On some security devices, you must connect the syslog server to
the management interface on the Management Module. This
ensures that the syslog server is available if the audit trail fills up
and network traffic stops.

Regards

Tony