• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Extending the ISA firewall logging

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 Misc.] >> Tips & Tricks >> Extending the ISA firewall logging Page: [1]
Login
Message << Older Topic   Newer Topic >>
Extending the ISA firewall logging - 2.Jun.2002 9:00:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi,

sometime ago, I stumble upon the ISCA Firewall Lab Report for the ISA server. You can find it at
http://www.icsalabs.com/html/communities/firewalls/certification/rxvendors/microsoftisas2000/labreport_cid303.shtml .

At the end of the document there might be something very interesting:
quote:
The following visual basic script, provided by Microsoft, was applied to the ISA Server to allow the firewall to log traffic that did not have predefined protocols. The script is included below.

Sub GOTP_ADD()
' Create some arguments
Set args = Wscript.Arguments
Set ISA = CreateObject("FPC.Root")
Set IssFilterProtocols = ISA.Arrays.GetContainingArray.Extensions.ApplicationFilters.Item("{9649A5E0-52A4-4E2A-831D-DE093CCB6B05}").Protocols
' Add the protocol definition
Set IssFilterProtocol = IssFilterProtocols.Add("{ 5113da08-2a66-4822-9b2d-6b72ff4dd96b}","Generic Outbound Traffic protocol")
IssFilterProtocol.Description = "All range (1 - 65535)"
IssFilterProtocol.PrimaryConnections.AddTCP 1, 1, 65535
IssFilterProtocol.PrimaryConnections.AddUDP 1, 1, 65535
IssFilterProtocols.Save
End Sub
GOTP_ADD

If you execute this script, a new application filter protocol is created for TCP Outbound and UDP Send both with All ports (1-65535).

HTH,
Stefaan
Post #: 1
RE: Extending the ISA firewall logging - 7.Jun.2002 6:29:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Stefaan,

What do you see in the logs after you make this change?

Thanks!

Tom

(in reply to spouseele)
Post #: 2
RE: Extending the ISA firewall logging - 7.Jun.2002 8:31:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Tom,

I have not tested it yet. Just run the script on one ISA test server. If I find some spare time, I will definitely look at it in more detail. [Big Grin] In the meantime, I see two interesting points.

Firstly, the lab report say "The following visual basic script, provided by Microsoft, was applied to the ISA Server to allow the firewall to log traffic that did not have predefined protocols.". This seems to indicate that outbound requests with no protocol definition associated with it are *not* logged. Of course, those packets will never pass because there can be no matching protocol rule *unless* everything is allowed. Definitely worth to investigate further.

Secondly, the script seems to prove you can create a protocol definition with a port range for the primary connection. Hmm... very, very interesting! Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=18;t=000009 .

HTH,
Stefaan

(in reply to spouseele)
Post #: 3
RE: Extending the ISA firewall logging - 10.Jun.2002 5:02:00 PM   
Guest
the problem is as he outlines:

if you're using secureNAT, at least (I don't use firewall client), then any attempts to go outside for which there isn't a defined protocol isn't logged! Pretty scary, huh? The packet won't pass, but you won't know the attempt was ever made..

it creates it as an "application filter," though it doesn't list it with the normal application filters -- it lists it in the 'protocols' section. Look @ the properties of it, though, & it has the same format as the other app filters.

once it's there, it's easy enough to see it'll log everything outbound -- try running a port scan on a host outside the firewall, or just try to telnet to several unusual ports on any host.

(in reply to spouseele)
  Post #: 4
RE: Extending the ISA firewall logging - 10.Jun.2002 10:13:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi me,

thanks for the input. The ISCA has only tested the ISA server in a pure SecureNAT environment. So, I'm pretty sure you are right about the logging for SecureNAT clients.

Thanks,
Stefaan

(in reply to spouseele)
Post #: 5
RE: Extending the ISA firewall logging - 11.Jun.2002 8:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hey guys,

OK, that is where I was having difficulty seeing where the problem was. I typically run all Firewall client boxes, except for published servers. However, it would be good to have this information from published servers! I'll test this out on a lab box.

Thanks!

Tom

(in reply to spouseele)
Post #: 6
RE: Extending the ISA firewall logging - 30.Jul.2002 11:42:00 AM   
wi11iam

 

Posts: 173
Joined: 29.May2002
From: Middelburg, South Africa
Status: offline
Hi there

Sorry for opening this issue but I thought it best to make my comment here.

I have been playing with the Extended Logging script that was posted here and I have noticed something interesting.

After the "Generic Outbound Traffic" protocol definition has been created and it is allowed within the relevant Protocol Rule, if I restart my ISA Services I get the following message in my Win2K Event Log, and the Web Proxy Service does not start:
Event ID: 7024
Description: The Microsoft Web Proxy service terminated with service-specific error 2147942487.

Anyway, after removing this custom protocol definition from the protocol rule, everything was working again.

Cheers
William R.

(in reply to spouseele)
Post #: 7
RE: Extending the ISA firewall logging - 30.Jul.2002 12:22:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi William,

I've installed that protocol definition on two different ISA installations and have not yet encountered any problem. However, the definition is just there. I don't use it in any protocol rule.

According to your experiment, it seems you can't really use it. So, this special protocol definition can only be used for extending the logging, nothing more and nothing less. Very interesting information!

Thanks,
Stefaan

(in reply to spouseele)
Post #: 8
RE: Extending the ISA firewall logging - 4.Aug.2002 1:40:00 PM   
Ole Kristian

 

Posts: 18
Joined: 4.Aug.2002
From: Norway
Status: offline
Hi,
have you noticed any performance hit using this script, or is it possible to easily remove or disable it?
Im not sure if I dare install this, allthough I am very tempted as it does explain/help a lot of my ISA-headaches... [Smile]

- Ole Kristian

(in reply to spouseele)
Post #: 9
RE: Extending the ISA firewall logging - 4.Aug.2002 2:48:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Ole,

I have *not* yet noticed any performance hit using this script. Also, it seems not possible to easily remove or disable it through the MMC. Of course you can always hack the registry.

Keep in mind that the purpose of the script is to add a generic protocol definition for enhancing the logging for SecureNAT clients only. So, I don't think it could have a negatively effect on the performance.

HTH,
Stefaan

(in reply to spouseele)
Post #: 10
RE: Extending the ISA firewall logging - 4.Aug.2002 8:11:00 PM   
Ole Kristian

 

Posts: 18
Joined: 4.Aug.2002
From: Norway
Status: offline
Hi Stefaan, thanks for your quick reply!
As it seems harmless, I will test the script. I'll let you know my experience with it when I'm back from vacation in a week.

- Ole Kristian

(in reply to spouseele)
Post #: 11
RE: Extending the ISA firewall logging - 2.Sep.2002 1:33:00 PM   
Danny

 

Posts: 21
Joined: 31.Aug.2001
Status: offline
Hi Stefaan,

I've got this script/protocol on our server. But now I see in the logs both "Generic outbound traffic" & "Unknown" .
Am I wrong, or should the "Unknown" be gone, since all the traffic is at least "Generic....."

Danny

(in reply to spouseele)
Post #: 12
RE: Extending the ISA firewall logging - 2.Sep.2002 10:21:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Danny,

the Generic Outbound Traffic protocol defines only TCP and UDP traffic. So, any other IP protocol will not be covered by this definition.

Because I typically run all Firewall client workstations, I have not yet seen much 'unknown' protocols in the ISA logs. Can you post some examples of it?

HTH,
Stefaan

(in reply to spouseele)
Post #: 13
RE: Extending the ISA firewall logging - 2.Jun.2004 3:56:00 PM   
Rgrotewold

 

Posts: 9
Joined: 5.Sep.2002
Status: offline
Alright so once the script has been run and the protocol app filter is installed how do you remove it? I realize I can disallow access to it but wish to remove it. It works great for troubleshooting but if you have a lot of traffic it can make your log files pretty big. Thanks

(in reply to spouseele)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 Misc.] >> Tips & Tricks >> Extending the ISA firewall logging Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts