Motorola Wing 5 Manual
Have a look at the manual Motorola Wing 5 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 249 Motorola manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
FIREWALL LOGGING 25 - 5 25.1.3 UDP packets log In both DHCP release and DHCP renew scenarios, the destination port 67 is logged. DHCP Release Jul 25 11:57:43 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:1 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:172.16.31.196 Proto:17 Src Port:68 Dst Port:67. DHCP Renew Jul 25 11:58:48 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:1 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:0.0.0.0 Dst IP:255.255.255.255 Proto:17 Src Port:68 Dst Port:67. To generate a UDP packet log, an ACL rule has to be applied to UDP packets, and logging has to be enabled. For example, rfs7000-37FABE(config-ip-acl-test)#permit udp any any log rule-precedence 20 rfs7000-37FABE(config-ip-acl-test)#
25 - 6 WiNG CLI Reference Guide 25.1.4 ICMP type logs The example below displays an ICMP Type as 13 and an ICMP Code as 0: Jul 25 12:00:00 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:192.168.1.103 Proto:1 ICMP Type:13 ICMP Code:0. The below example displays an ICMP Type as 15 and an ICMP Code as 0: Jul 25 12:00:07 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.1.104 Dst IP:192.168.2.102 Proto:1 ICMP Type:15 ICMP Code:0. The below example displays an ICMP Type as 17 and an ICMP Code as 0: Jul 25 12:00:25 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:0 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.2.102 Dst IP:192.168.1.103 Proto:1 ICMP Type:17 ICMP Code:0. The below example displays an ICMP Type as 18 and an ICMP Code as 0: Jul 25 12 01:00:24 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 18. Reason: no flow matching payload of ICMP Reply. Module name is DATAPLANE Syslog Severity level is 5 Log ID is ICMPPKTDROP Log Message is Dropping ICMP Packet To generate an ICMP log, an ACL rule has to be applied on ICMP packets, and logging has to be enabled. For example, the following commands have to be executed: rfs7000-37FABE(config-ip-acl-test)#permit icmp any any log rule-precedence 20 rfs7000-37FABE(config-ip-acl-test)#
FIREWALL LOGGING 25 - 7 25.1.5 ICMP type logs The following example displays an ICMP Type as 3 and a Code as 3: Jul 25 12:03:00 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 3 and ICMP type 3. Reason: no flow matching payload of ICMP Error. Module name is DATAPLANE Syslog Severity level is 5 Log ID is ICMPPKTDROP Log Message is Dropping ICMP Packet The following example displays an ICMP Type as 4 and a Code as 0: Jul 25 12:04:06 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 4. Reason: ICMP dest IP does not match inner source IP. The following example displays an ICMP Type as 5 and a Code as 0: Jul 25 12:05:00 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 5. Reason: ICMP dest IP does not match inner source IP. The following example displays an ICMP type as 11 and a Code as 0: Jul 25 12:06:00 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.2.102 to 192.168.1.103, with ProtocolNumber:1 ICMP code 0 and ICMP type 11. Reason: ICMP dest IP does not match inner source IP. The following example displays an ICMP type as 14 and a Code as 0: Jul 25 12:07:00 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 14. Reason: no flow matching payload of ICMP Reply. The following example displays an ICMP type as 16 and a Code as 0: Jul 25 12:10:11 2011: %DATAPLANE-5-ICMPPKTDROP: Dropping ICMP Packet from 192.168.1.104 to 192.168.2.102, with ProtocolNumber:1 ICMP code 0 and ICMP type 16. Reason: no flow matching payload of ICMP Reply. To generate an ICMP log, logging has to be enabled. For example, the following commands has to be executed: rfs7000-37FABE(config-fw-policy-default)#logging icmp-packet-drop all rfs7000-37FABE(config-fw-policy-default)#
25 - 8 WiNG CLI Reference Guide 25.1.6 Raw IP Protocol logs The following example displays a TCP header length as less than 20 bytes: Jul 25 12:11:50 2011: %DATAPLANE-4-DOSATTACK: INVALID PACKET: TCP header length less than 20 bytes : Src IP : 192.168.2.102, Dst IP: 192.168.1.104, Src Mac: 00-11-25-14-D9-E2, Dst Mac: 00-15-70-81-91-6A, Proto = 6. Module name is DATAPLANE Syslog Severity level is 4 Log ID is DOSATTACK Log Message is INVALID PACKET Jul 25 12:12:00 2011: %DATAPLANE-5-MALFORMEDIP: Dropping IPv4 Packet from 192.168.2.102 to 192.168.1.104 Protocol Number: 6. Reason: malformed TCP header. Module name is DATAPLANE Syslog Severity level is 5 Log ID is MALFORMEDIP Log Message is Dropping IPv4Packet To generate a raw IP protocol log, logging has to be enabled. For example, the following commands has to be executed: rfs7000-37FABE(config-fw-policy-default)# logging verbose rfs7000-37FABE(config-fw-policy-default)# rfs7000-37FABE(config-fw-policy-default)# logging malformed-packet-drop all rfs7000-37FABE(config-fw-policy-default)# When logging verbose is enabled, the log is displayed as: Jul 25 12:15:21 2011: %DATAPLANE-5-MALFORMEDIP: Dropping IPv4 Packet from 192.168.0.91 to 192.168.0.1 Protocol Number: 6 SrcPort: 22616 DstPort: 22616 Reason: no matching TCP flow. Module name is DATAPLANE Syslog Severity level is 5 Log ID is MALFORMEDIP Log Message is Dropping IPv4Packet
FIREWALL LOGGING 25 - 9 25.1.7 Raw IP Protocol logs The following example displays TCP without data: Jul 25 12:16:50 2011: %DATAPLANE-4-DOSATTACK: INVALID PACKET: TCP header length less than 20 bytes : Src IP : 192.168.2.102, Dst IP: 192.168.1.104, Src Mac: 00-11-25-14-D9-E2, Dst Mac: 00-15-70-81-91-6A, Proto = 6. Jul 25 12:16:55 2011: %DATAPLANE-5-MALFORMEDIP: Dropping IPv4 Packet from 192.168.2.102 to 192.168.1.104 Protocol Number: 6. Reason: malformed TCP header. To generate a raw IP protocol log, logging has to be enabled. For example, the following commands has to be executed: rfs7000-37FABE(config-fw-policy-default)# logging verbose rfs7000-37FABE(config-fw-policy-default)# rfs7000-37FABE(config-fw-policy-default)# logging rawip-packet-drop all rfs7000-37FABE(config-fw-policy-default)# When logging verbose is enabled, the log is displayed as: Jul 25 12:20:30 2011: %DATAPLANE-4-DOSATTACK: INVALID PACKET: TCP header length less than 20 byt es : Src IP : 192.168.0.91, Dst IP: 192.168.0.1, Src Mac: 00-16-36-05-72-2A, Dst Mac: 00-23-68-22-C8-6E, Proto = 6. Jul 25 12:22:49 2011: %DATAPLANE-5-MALFORMEDIP: Dropping IPv4 Packet from 192.168.0.91 to 192.168.0.1 Protocol Number: 6 . Reason: malformed TCP header. Module name is DATAPLANE Syslog Severity level is 4 Log ID is DOSATTACK Log Message is INVALID PACKET
25 - 10 WiNG CLI Reference Guide 25.1.8 Firewall startup log The following example displays an enabled firewall. A firewall enabled message is displayed in bold. System bootup time (via /proc/uptime) was 93.42 42.52 Please press Enter to activate this console. May 19 20:10:09 2010: %NSM-4-IFUP: Interface vlan2 is up Jul 25 12:25:09 2011: KERN: vlan2: add 01:00:5e:00:00:01 mcast address to master interface. Jul 25 12:25:09 2011: %NSM-4-IFUP: Interface vlan172 is up Jul 25 12:25:09 2011: KERN: vlan172: add 01:00:5e:00:00:01 mcast address to master interface. Jul 25 12:25:09 2011: %PM-6-PROCSTART: Starting process /usr/sbin/lighttpd Jul 25 12:25:09 2011: %FILEMGMT-5-HTTPSTART: lighttpd started in external mode with pid 0 Jul 25 12:25:09 2011: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Jul 25 12:25:09 2011: %USER-5-NOTICE: FILEMGMT[1086]: FTP: ftp server stopped Jul 25 12:25:09 2011: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Jul 25 12:25:09 2011: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan1 Jul 25 12:25:09 2011: %DAEMON-3-ERR: dhcrelay: interface allocate : vlan2 Jul 25 12:25:09 2011: %DOT11-5-COUNTRY_CODE: Country of operation configured to in [India] Jul 25 12:25:09 2011: %DIAG-6-NEW_LED_STATE: LED state message AP_LEDS_ON from module DOT11 Jul 25 12:25:09 2011: %PM-6-PROCSTART: Starting process /usr/sbin/telnetd Jul 25 12:25:09 2011: %AUTH-6-INFO: sshd[1422]: Server listening on 0.0.0.0 port 22. dataplane enabled CCB:21:Firewall enabled Jul 25 12:25:09 2011: %KERN-4-WARNING: dataplane enabled. Jul 25 12:25:09 2011: %DATAPLANE-5-FWSTARTUP: Firewall enabled. Jul 25 12:25:09 2011: USER: cfgd: handle_cluster_member_update Jul 25 12:25:09 2011: USER: cfgd: ignoring, no cluster configured Jul 25 12:25:09 2011: %PM-6-PROCSTART: Starting process /usr/sbin/sshd
FIREWALL LOGGING 25 - 11 25.1.9 Manual time change log The following example displays the manual time change log. The clock is manually set to Jul 25 12:25:33 2011. Log change in time rfs7000-37FABE#show clock 2011-07-25 12:25:33 UTC rfs7000-37FABE# rfs7000-37FABE#clock set 12:25:33 25 Jul 2011 Jul 25 12:25:33 2011: %[S1]CFGD-6-SYSTEM_CLOCK_RESET: System clock reset, Time: 2011-07-25 12:45:00[S2] rfs7000-37FABE#show clock Jul 25 12:45:00 UTC 2011 rfs7000-37FABE# To generate a time log, logging has to be enabled For example, the following command has to be executed: rfs7000-37FABE#clock set 12:45:00 25 Jul 2011 rfs7000-37FABE#
25 - 12 WiNG CLI Reference Guide 25.1.10 Firewall ruleset log The following example displays the log changes as ‘ACL_ATTACHED_ALTERED’ when an ACL Rule is applied/removed on WLAN, VLAN, GE, and PORT-CHANNEL: IP ACL IN on WLAN Attach July 28 12:48:40 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered USER: The user who is doing the change session: means the session id of the user - one user can have multiple sessions running, so this explains from which session this change was done ACL: Name of the ACL that has rules added/deleted IP ACL IN on WLAN Remove July 28 12:48:42 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. IP ACL OUT on WLAN Attach July 28 12:48:44 2011 2010: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. IP ACL OUT on WLAN Remove July 28 12:48:50 2011 2010: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. MAC ACL IN on WLAN Attach July 28 12:48:55 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. MAC ACL IN on WLAN Remove July 28 12:48:572011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. MAC ACL OUT on WLAN Attach July 28 12:49:00 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. MAC ACL OUT on WLAN Remove July 28 12:49:06 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to wlan ICSA-testing is getting altered. IP ACL on VLAN Attach July 28 12:49:10 201: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface vlan1 is getting altered. IP ACL on VLAN Remove July 28 12:49:12 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface vlan1 is getting altered. IP ACL on GE Port Attach July 28 12:49:15 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface ge1 is getting altered.
FIREWALL LOGGING 25 - 13 IP ACL on GE Port Remove July 28 12:49:20 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface ge1 is getting altered. MAC ACL on GE Port Attach July 28 12:49:22 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface ge1 is getting altered. MAC ACL on GE Port Remove July 28 12:49:24 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface ge1 is getting altered. IP ACL on Port-Channel Attach July 28 12:49:30 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface port-channel1 is getting altered. IP ACL on Port-Channel Remove July 28 12:50:00 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface port-channel1 is getting altered. MAC ACL on Port-Channel Attach July 28 12:50:01 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface port-channel1 is getting altered. MAC ACL on Port-Channel Remove July 28 12:50:05 2011: %CFGD-6-ACL_ATTACHED_ALTERED: USER: root session 3: ACL attached to interface port-channel1 is getting altered. Rule added / deleted from IP/MAC ACL Feb 26 20:32:56 2011: %CFGD-6-ACL_RULE_ALTERED: USER: admin session 3: ACL foo rule is getting altered.
25 - 14 WiNG CLI Reference Guide 25.1.11 TCP Reset Packets log For any change in the TCP configuration, a TCP reset log is generated. The following example displays the initial TCP packets permitted before the session timedout: July 28 20:31:26 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:1 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.1.99 Dst IP:192.168.2.102 Proto:6 Src Port:3318 Dst Port:21. July 28 20:31:31 2011: %DATAPLANE-5-LOGRULEHIT: Matched ACL:ftpuser:ip Rule:1 Disposition:Allow Packet Src MAC: Dst MAC: Ethertype:0x0800 Src IP:192.168.1.99 Dst IP:192.168.2.102 Proto:6 Src Port:3318 Dst Port:21.