At the end of the document there might be something very interesting:
quote:The following visual basic script, provided by Microsoft, was applied to the ISA Server to allow the firewall to log traffic that did not have predefined protocols. The script is included below.
Sub GOTP_ADD() ' Create some arguments Set args = Wscript.Arguments Set ISA = CreateObject("FPC.Root") Set IssFilterProtocols = ISA.Arrays.GetContainingArray.Extensions.ApplicationFilters.Item("{9649A5E0-52A4-4E2A-831D-DE093CCB6B05}").Protocols ' Add the protocol definition Set IssFilterProtocol = IssFilterProtocols.Add("{ 5113da08-2a66-4822-9b2d-6b72ff4dd96b}","Generic Outbound Traffic protocol") IssFilterProtocol.Description = "All range (1 - 65535)" IssFilterProtocol.PrimaryConnections.AddTCP 1, 1, 65535 IssFilterProtocol.PrimaryConnections.AddUDP 1, 1, 65535 IssFilterProtocols.Save End Sub GOTP_ADD
If you execute this script, a new application filter protocol is created for TCP Outbound and UDP Send both with All ports (1-65535).
I have not tested it yet. Just run the script on one ISA test server. If I find some spare time, I will definitely look at it in more detail. In the meantime, I see two interesting points.
Firstly, the lab report say "The following visual basic script, provided by Microsoft, was applied to the ISA Server to allow the firewall to log traffic that did not have predefined protocols.". This seems to indicate that outbound requests with no protocol definition associated with it are *not* logged. Of course, those packets will never pass because there can be no matching protocol rule *unless* everything is allowed. Definitely worth to investigate further.
RE: Extending the ISA firewall logging - 10.Jun.2002 5:02:00 PM
Guest
the problem is as he outlines:
if you're using secureNAT, at least (I don't use firewall client), then any attempts to go outside for which there isn't a defined protocol isn't logged! Pretty scary, huh? The packet won't pass, but you won't know the attempt was ever made..
it creates it as an "application filter," though it doesn't list it with the normal application filters -- it lists it in the 'protocols' section. Look @ the properties of it, though, & it has the same format as the other app filters.
once it's there, it's easy enough to see it'll log everything outbound -- try running a port scan on a host outside the firewall, or just try to telnet to several unusual ports on any host.
thanks for the input. The ISCA has only tested the ISA server in a pure SecureNAT environment. So, I'm pretty sure you are right about the logging for SecureNAT clients.
OK, that is where I was having difficulty seeing where the problem was. I typically run all Firewall client boxes, except for published servers. However, it would be good to have this information from published servers! I'll test this out on a lab box.
Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there
Sorry for opening this issue but I thought it best to make my comment here.
I have been playing with the Extended Logging script that was posted here and I have noticed something interesting.
After the "Generic Outbound Traffic" protocol definition has been created and it is allowed within the relevant Protocol Rule, if I restart my ISA Services I get the following message in my Win2K Event Log, and the Web Proxy Service does not start: Event ID: 7024 Description: The Microsoft Web Proxy service terminated with service-specific error 2147942487.
Anyway, after removing this custom protocol definition from the protocol rule, everything was working again.
I've installed that protocol definition on two different ISA installations and have not yet encountered any problem. However, the definition is just there. I don't use it in any protocol rule.
According to your experiment, it seems you can't really use it. So, this special protocol definition can only be used for extending the logging, nothing more and nothing less. Very interesting information!
Hi, have you noticed any performance hit using this script, or is it possible to easily remove or disable it? Im not sure if I dare install this, allthough I am very tempted as it does explain/help a lot of my ISA-headaches...
I have *not* yet noticed any performance hit using this script. Also, it seems not possible to easily remove or disable it through the MMC. Of course you can always hack the registry.
Keep in mind that the purpose of the script is to add a generic protocol definition for enhancing the logging for SecureNAT clients only. So, I don't think it could have a negatively effect on the performance.
Hi Stefaan, thanks for your quick reply! As it seems harmless, I will test the script. I'll let you know my experience with it when I'm back from vacation in a week.
I've got this script/protocol on our server. But now I see in the logs both "Generic outbound traffic" & "Unknown" . Am I wrong, or should the "Unknown" be gone, since all the traffic is at least "Generic....."
the Generic Outbound Traffic protocol defines only TCP and UDP traffic. So, any other IP protocol will not be covered by this definition.
Because I typically run all Firewall client workstations, I have not yet seen much 'unknown' protocols in the ISA logs. Can you post some examples of it?
Alright so once the script has been run and the protocol app filter is installed how do you remove it? I realize I can disallow access to it but wish to remove it. It works great for troubleshooting but if you have a lot of traffic it can make your log files pretty big. Thanks
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2000 Misc.] >> Tips & Tricks >> Extending the ISA firewall logging 
Extending the ISA firewall logging - 
![[Big Grin]](/image/smiles/biggrin.gif)
In the meantime, I see two interesting points.![[Smile]](/image/smiles/smile.gif)
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread