logging

Configures enhanced firewall logging

Supported in the following platforms:

  • Access Points — AP505i, AP510i/e, AP560i/h
  • Service Platforms — NX5500, NX7500, NX9500, NX9600, VX9000

Syntax

logging [icmp-all|icmp-packet-drop|malformed-packet-drop|verbose]
logging icmp-all
logging verbose
logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]

Parameters

logging icmp-all
logging Configures enhanced firewall logging parameters
icmp-all Enables logging of all ICMPv4/v6 packets allowed by the firewall. This option is disabled by default.
logging verbose

logging

Configures enhanced firewall logging. This option is disabled by default.

verbose

Enables verbose logging

logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]

logging

Configures enhanced firewall logging

icmp-packet-drop

Enables logging of ICMP (ICMPv4 and ICMPv6) packets that do not pass sanity checks. The default is none.

malformed-packet-drop

Enables logging of raw IP (IPv4 and IPv6) packets that do not pass sanity checks. The default is none.

all

Logs all messages

rate-limited

Enables rate-limited logging. This option sets the rate limit for log messages to one message every 20 seconds.

Examples

nx9500-6C8809(config-fw-policy-testFW)#logging verbose
nx9500-6C8809(config-fw-policy-testFW)#logging icmp-packet-drop rate-limited
nx9500-6C8809(config-fw-policy-testFW)#logging malformed-packet-drop all
nx9500-6C8809(config-fw-policy-testFW)#show context
firewall-policy testFW
 ip dos fraggle drop-only
 ip dos tcp-sequence-past-window drop-only
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 ipv6 routing-type two log-and-drop log-level warnings
 ipv6 dos hop-limit-zero drop-only
 alg facetime
 logging icmp-packet-drop rate-limited
 logging malformed-packet-drop all
 logging verbose
 dns-snoop entry-timeout 1200
 ipv6-mac routing conflict drop-only
nx9500-6C8809(config-fw-policy-testFW)#
nx9500-6C8809(config-fw-policy-test2)#show context
firewall-policy test2
 no ip dos tcp-sequence-past-window
nx9500-6C8809(config-fw-policy-test2)#
nx9500-6C8809(config-fw-policy-test2)#logging icmp-all
nx9500-6C8809(config-fw-policy-test2)#show context
firewall-policy test2
 no ip dos tcp-sequence-past-window
 logging icmp-all
nx9500-6C8809(config-fw-policy-test2)

Related Commands

no

Disables enhanced firewall logging