Monitoring the Vyatta firewall

You can monitor the firewall in much the way of a Debug command in Cisco. By using the command “Monitor firewall”. The blocked or allowed attempts will show up on the console.

You can monitor just the rule, or the whole firewall policy. By specifying the monitor to run in the background you still have control of the Vyatta.

The command is:

monitor firewall name OUTSIDE-IN background

You can also use the log keyword in the firewall rule to get the results of the rule to show up in the logs.

To give a better example lets create a firewall policy, assign it to an interface and then monitor the rule. I have two rules, one to block ICMP and one to allow everything else. To make this policy stateful I modified the firewall State-policy and set it to allow return traffic by default. Below are my firewall settings:

fw1

Now lets say I want to monitor what gets blocked in rule 5 – my block ICMP rule. I would do the following:

monitor firewall name out rule 5 – the name of my policy is “out”, rule 5 blocks ICMP.

block-rule

The image shows the output. All traffic matching that rule gets displayed on the screen. This is a great way to debug firewall polices to see what gets blocked or allowed. For example, if I monitored just the firewall policy i would get all traffic allowed or blocked, if I monitored rule 10 then I would get all traffic other than ICMP which would be allowed.

Below are the “show configuration commands” of the firewall policy if you are interested.

set firewall name out rule 5 action ‘drop’
set firewall name out rule 5 log ‘enable’
set firewall name out rule 5 protocol ‘icmp’
set firewall name out rule 10 action ‘accept’
set firewall name out rule 10 log ‘enable’
set firewall name out rule 10 protocol ‘all’
set firewall name out rule 10 source address ‘192.168.60.10’
set firewall state-policy established action ‘accept’
set firewall state-policy invalid action ‘drop’
set interfaces ethernet eth1 firewall out name ‘out’

Advertisements

7 responses to “Monitoring the Vyatta firewall

  1. jei March 3, 2015 at 8:37 pm

    hi, i need to do exactly the same.
    i worked with Microsoft isa server as a firewall, and now im moving to vyatta firewall.
    sometimes i need to see the traffic flow, or a rule denying something, but i dont know how.
    i try to use
    monitor firewall
    but i didn’t see anything.can you provided me an example of an output when you use the monitor firewall command? sorry for my english.
    thank you

  2. cjcott01 March 4, 2015 at 6:30 am

    Hi Jei, you would have to put the log keyword in to get that data. I will modify this post with an example tomorrow.

    • jei March 9, 2015 at 1:36 pm

      hi, thank you for the answer, I was on vacation, so now is when i can try it.
      i think , for your answer, that i need to configure mi firewall rules with action log to see what happens ?
      im waiting anxiously for the example 🙂
      thank you for your time.

      • cjcott01 March 10, 2015 at 3:44 am

        Hi Jei, I updated the post. Please let me know if this answers the question.

      • jei March 10, 2015 at 12:27 pm

        Hi, and thank you, really thank you for your time and for share your knowledge.
        I understand clearly the examples, and the output.
        I need to try it, and see what happens.
        The only difference that i can see, is that im using a zone firewall,i have rules set , applying from a zone to another zone, and the zone have a # of interfaces that belongs to it.
        Maybe i cant monitor firewall rules because im using Zone-Based firewall?
        Anyway, i’ll try like your example,and if i can monitor the firewall, maybe i need to rethink and reconfigure my firewall, because the fact of monitor its very important to me.
        Right now, i solve situations whit conntrack and tcpdump, but i need to be very creative to use it :-)) and many many times , even when i see the traffic , i take my time to understand it.
        Anyway, thank you.

  3. jei March 30, 2015 at 3:29 pm

    hi!, i testing in my lab environment, without zoning, and it work fine.im traying the zoning now, let see whats happens.
    thank you for the help.

    • jei April 28, 2015 at 1:46 pm

      well, test complete, maybe im doing something wrong, but when i use zoning, not show any statistics or packets using the monitor firewall rule X.
      interesting…..
      thank you for the help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: