Wired Intelligent Edge

 View Only
  • 1.  AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

    Posted Jun 07, 2020 05:53 AM
      |   view attached

    Re: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

     

    It appears their are certain flavors of ACL/ACE ESTABLISHED entries that force a debug Permitted LOG.  See the attached TXT file for AOS-CX CLI commands and LOGG results.

     

    Note, there is no LOG parameter on the PERMITTED established ACE.

     

    Below is a sampling of the attached file:

    2020-06-05T09:09:52.204625-05:00 XYZ-1111-IN ops-switchd[3242]: Event|10001|LOG_INFO|AMM|1/1|List XYZ-1111-IN, seq# 44 permitted tcp 10.70.1.51(50139) -> 192.168.88.210(3389) on vlan 1111, port 1/1/44, direction in



  • 2.  RE: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)
    Best Answer

    Posted Jun 08, 2020 05:14 AM

    Correct. From the ACL config guide:

    "log
    Keeps a log of the number of packets matching this ACE. The action log can only be combined with deny, not
    permit. The 8320 and 8325 switches do not support logging for ACLs applied on the egress."

     

    You can raise this limitation to your local Aruba contact for relaying to product manager.



  • 3.  RE: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

    Posted Jun 08, 2020 08:00 PM

    Hi Giles, am I mistaken (totally possible) or the OP is asking instead why permitted actions related to a permitting ACE without any log operand are logged?

     

    ACE:

    44 permit tcp XYZ-OBJECT-IPV4-1111-EMP-WIFI DTS-ALL-OBJECT-IPV4-NET-0-0-0-0 established count

    Logs:

    2020-06-05T09:09:52.204625-05:00 XYZ-1111-IN ops-switchd[3242]: Event|10001|LOG_INFO|AMM|1/1|List XYZ-1111-IN, seq# 44 permitted tcp 10.70.1.51(50139) -> 192.168.88.210(3389) on vlan 1111, port 1/1/44, direction in



  • 4.  RE: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

    Posted Jun 09, 2020 04:46 AM

    :

     

    Yes.  You worded the issue much better than I.

     

    The primary reason I wrote the original discussion is to see if any other airhead has seen this "permitted / established" LOGGING phenomenon.

     

    I am concerned that there may be security weaknesses when using an ACE ESTABLISHED.



  • 5.  RE: AOS-CX-TL.10.04 (ACL-LOG permitted ESTABLISHED Logging?)

    Posted Jul 06, 2020 06:01 PM

    20200720 (edit):  10.05.0001 (8320) so far has eliminated the ESTABLISHED permit logging.

     

    Yes, there is a TCP ESTABLISHED LOGGING bug.  See https://community.arubanetworks.com/t5/Wired-Intelligent-Edge-Campus/AOS-CX-TL-10-04-0041-DEBUG-ACL-LOG-logging-only-reveals-UDP-ACE/m-p/661120#M10098 for a related problem caused by the TCP PERMIT ...established BUG.