Can CS-MARS perform mitigation access-list on FWSM?

Similar Messages

• Nered to know where I can view ACL denies regarding "access-list deny any log" ?

  I ask this question in the context of an SNMP access list. I am guessing that this line of config (access-list deny any log) will allow you to see which addresses were denied SNMP access.
  I need to know where I can view the source addresses from where the packets were dropped? Could this be just in sh log? Thanks in advance for any help. Cheers

  Hi,
  Yes, with an extended access-list with the last line:
  deny ip any any log
  with "sh log" you can  see the source address of the packets being dropped.
  Take note that you must be at least in the logging level 6 (informational), by default console and monitor are in level 7 (debugging):
  logging console debugging
  logging monitor debugging
  With older IOS versions (before at least 12.4) you had to add the following lines at the bottom of the acl:
  access-list 101 deny   tcp any range 0 65535 any range 0 65535 log
  access-list 101 deny   udp any range 0 65535 any range 0 65535 log
  access-list 101 deny   icmp any any log
  access-list 101 deny   ip any any log
  to log the sources and destinations IPs and port numbers.
  Best Regards,
  Pedro Lereno

• How to manage large access-lists on FWSM

  Team I have a rather large access-list in one of my firewalls and was wondering if anyone has any rules of thumbs to go by when building a complex access lists. I currently use object groups but what is a good rule for acls with servers, users and diffent needs for access?

  We use object-groups as well. We typically create an object for source servers (if more than 1), the ports (if more than 1 or 2) and another group for destination server(s). We have a very restrictive security policy so each rule must be specific. I think it makes it hard to see what the ACL's really do, but it shortens the config.
  Hope that helps.

• How many computers can be written into the access list?

  I remember the old ABS allowed pretty many computers, much over the normal amount of 20. Does anybody know how many computers can be written into the new ABSE n?

  Please be aware that MAC address filtering (access control) provides no security at all. All of the wireless traffic is sent unencrypted allowing anyone monitoring it to read your data.
  MAC address filtering ONLY prevents unlisted MAC addresses from connecting to your base station. However the MAC addresses are broadcast between connected clients and the base station. Therefore anyone monitoring your wireless traffic can learn the allowed MAC addresses. After they learn an allowed MAC address, they can clone that address and connect to your base station.

• Access List and Conflict Resolution Problem!

  My configuration for Allow and Deny is not allowing me to load images and CSS files through the gateway on a URLScraper channel.
  I'm trying to figure out how to control access to resources using the Access List service, and I'm running into trouble. The Sun ONE Portal Server, Secure Remote Access 6.0 Administrator's Guide (Doc 816-6421-10) states:
  Setting the Conflict Resolution Level
  You can set the priority level for the dynamic attributes. If a user inherits multiple attribute templates, say from an organization and a role assignment, and there is a template conflict between the attributes in the two templates, the template with the highest priority is inherited. There are seven settings available ranging from Highest to Lowest.
  See the Administration Guide, iPlanet Directory Server Access Management Edition for more details on conflict resolution.
  Unfortunately the referenced Adminstration Guide for DSAME contains exactly 0 occurances of the word "conflict" in its 136 pages, so that reference was less than helpful. Chapter 17 of that document (Doc 816-5620-10) describes URL Policy Agent Attributes, which sheds some light on what the URL Deny and URL Allow settings mean. The key sentence is, "An empty Deny list will allow only those resources that are allowed by the Allow list."
  So, I've set up my Access List services as follows:
  o URL Deny is blank on all Access Lists
  o URL Allow set as follows
  ---- isp
  ------- http://portal.acme.com/portal/* (company name changed to protect the guilty!)
  ---- acme.com organization
  ------- Conflict Resolution: Highest
  ------- http://portal.acme.com/portal/* (same as above)
  ---- Acme Customers Role - shared role for all Acme customers
  ------- Conflict Resolution: Medium
  ------- http://www.acme.com/*
  ------- http://support.acme.com/*
  ------- http://support2.acme.com/*
  ---- RoadRunner role - specific role for a specific customer
  ------- Conflict Resolution: Medium
  ------- http://roadrunnerinfo.acme.com/*
  The Desktop services in each of the above two roles includes channels from the hosts in the URL Allow lists.
  The behavior I'm seeing with this configuration is that the desktop channels include information from the scraped HTML, and the URLs are rewritten for the included images and CSS files and such. However, the gateway is denying access to the images referenced by the rewritten URL. That is, an image with a URL of https://portal.acme.com/http://roadrunnerinfo.acme.com/images/green.gif shows up as a broken image on the desktop. Attempting to access the URL to the image directly results in an "Access to this resource is denied !! Contact your administrator" error message.
  If I set the conflict resolution on the acme.corp organization to Medium (or anything lower than the two role conflict resolution levels) results in the same error message as soon as the customer logs in (no desktop rendered). The same error occurs if I set the conflict resolution in the two roles to Highest (same as the top level organization), again with no desktop rendered on login.
  If I put all the above referenced URLs in the acme.com organization Access List service, then I am successfully able to fetch all the resources (images, CSS, etc.) in the URLScraper HTML. Likewise if I put "*" in that Access List. However, this is less than ideal, as it would potentially allow other customers to view data that isn't theirs (Wile E. Coyote user should not be able to get to Road Runner data, and vice versa, and neither one of them should get at Acme private information!).
  So, what am I doing wrong? Also, does anyone have any leads on where I can read up on how Access Lists and conflict resolution are supposed to work, since Sun neglected to include a valid reference in the Administrator's Guide, Portal Server 6.0 SRA?
  Thanks!
  -matt

  Did you ever get anywhere with this. My experiments seem to inidicate that you cannot successfully combine Access and Deny directives, across roles or organizational defaults and a role.

• Where is the Enable RESTful Access List?

  Hello,
  I am trying to expose a report in my application as a RESTful web service. I am following this guide here: http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDDBGAI
  The instructions are:
  On the Workspace home page, click Application Builder.
  Select an application.
  Application Builder appears.
  Select the page that contains the report you want to enable.
  The Page Definition appears.
  Under Regions, click the name of the region that contains the report you want to enable.
  Under Attributes, enter a value for Static ID field. This value is used to access the report RESTfully.
  From the Enable RESTful Access List, select Yes.
  Click Apply Changes.
  I am not sure where I can get this "Enable RESTful Access List", it is not in my region attributes or in my page attributes. Could someone kindly point out where I can get it?
  I am using APEX 4.2
  Cheers.

  Hi William,
  That's great you're up and running now. So now you've managed to expose your Report region as a RESTful Service. I think you might find it useful to read through the section Understanding Web Service References in the same chapter - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#BABDCIBH - as it explains the various references that can be created. In your case, your Web Service reference is based on the RESTful style, and not on a Web Services Description Language (WSDL) document. If you read through the section Accessing a RESTful Enabled Report Region from a Web Service Client - http://docs.oracle.com/cd/E23903_01/doc/doc.41/e21674/advnc_web_services.htm#CHDEHFJI - the apex_rest service API can be used to discover available RESTful enabled reports for a given application. Its response is an XML document with a description of all reports that can be accessed by RESTful Web services.
  I hope this helps.
  Regards,
  Hilary

• WAAS and SNMP access-list

  I am using 4.1.1c(build b16), and testing restricting access to the SNMP MIBS. we are running inline with a separate interface for mgmt. (gi1/0). with snmp access-list defined and snmp-server access-list set.
  snmp-server community public
  snmp-server access-list SNMP
  ip access-list standard SNMP
  permit 10.10.10.2
  when i walk the mib from 10.10.10.2, and then look at ACL, it doesn't show any access.
  CM#sh ip access-list SNMP
  Standard IP access list SNMP
  1 permit 10.10.10.2
  (implicit deny any: 0 matches)
  total invocations: 0

  To define an IP ACL from the CLI, you can use the ip access-list global configuration command, and to apply the IP ACL to an interface on the WAAS device, you can use the ip access-group interface configuration command. To configure the use of an IP ACL for SNMP, you can use the snmp-server access-list global configuration command. To specify an IP ACL that the WAE applies to the inbound WCCP GRE encapsulated traffic that it receives, you can use the wccp access-list global configuration command.

• BGP with access lists

  Hello,
  Can someone explain to me why we use access lists in a mpls cloud that uses IBGP. I thought for the most part  access lists were used on firewalls not routers running BGP. Do we even need access lists with bgp can't bgp work without access lists. What are the reasons for having access lists on a router for IBGP on a mpls cloud?
  Thanks,

  The only way to get access to your network is if the ISP misconfigures so that another company gets access to your IP networks by mistake or that someone gets access to a PC on the inside and can reach the networks from there. It could happen if someone accidentally downloads an e-mail attachment or something like that.
  It all depends on how critical the traffic is. If it's a bank there could be regulations in place that demands that all traffic is encrypted even if it is supposed to be private. If you compare it to a leased line, it's also secure as long as someone doesn't get access to it. So MPLS is like a virtual leased line in comparison.
  Daniel Dib
  CCIE #37149
  Please rate helpful posts.

• We can figure this standard access list

  We can figure this standard access list that's important remember that we use a standard access list  want to block all traffic or permit all traffic from a particular
  source or destination let's take a look at this machine right here   that  is IP address say
  640-554 we want to stop him from going into the Ethernet interface I'm the ad man he made me midsummer block callers traffic he can get out anymore maybe this is even the internet out
  here we know people like their Internet access so to get back at them I'm a block it what I can do is I can use deny statement in my access list access list
  one did not .
  http://640-554cisco.com/

  Hi Suresh,
  ad 1) according to the documentation ( http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIHJAH )
  "At least one of the following must be true for a user to be granted a particular permission:
  The user's name appears in the xClbraUserList metadata field with the appropriate permission.
  The user belongs to a group that appears in the xClbraAliasList metadata field with the appropriate permission.
  The user is part of an Enterprise role that appears in the xClbraRoleList metadata field with the appropriate permission."
  meaning that OOTB a user will be granted both Read permission as per user-granted permissions and RWD as per group-granted permissions (resulting into RWD because at the same level a union operation is used).
  I'd say that conceptually, the group assignment should not be used in your use-case, because you don't want to assign permissions to group's users, do you? You could create new groups, or use assignment of permissions per user.
  ad 2) check this: http://docs.oracle.com/cd/E28280_01/doc.1111/e26692/securityacls.htm#BEIIDCGD
  Using ACLs, regardless User or Group Access Lists, always impacts the performance. And, it is difficult to maintain. From the information at the link you may understand how it is implemented - basically, the execution of the query will be affected by: a) how many items have to be evaluated b) the length of strings (xClbraUserList, xClbraAliasList) to be evaluated.

• Cisco ASR 1002- performance issue due to access list

  Hi,
  We are planning to implement inbound access-list to block subnets from particular country. Since the subnets are not contiguous, we have about 16000 lines of acl entries.
  I want to know, would there be any performance or latency issues after applying 16k lines of acl?
  Is there a good document where I can read more about ACL limitations and performance issues on ASR.
  This is for ASR1002, running IOS-XE 15.3(1)S1.
  Thanks

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  Sorry, I don't know the answer to your questions, but I'm writing to mention a 7200 feature, that if supported on the ASR, might help in your situation.  See http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#turbo

• ASA 5505 version 9.1 in extended access-list I can add interface name as destination??

  Hi All,
  I'm adding extended ACL on the ASA 5505 version 9.1 and found that in the source or destination field I can specify interface name instead of object, host/network but can't find it documented anywhere and what is the behavior of that?
  access-list VOICE_IN extended permit ip object obj-VOICE-LAN interface OUTSIDE
  Is it matching the egress interface or what?

  Use the interface name rather than IP address to match traffic based
  on which interface is the source or destination of the traffic. You must
  specify the interface keyword instead of specifying the actual IP
  address in the ACL when the traffic source is a device interface. For
  example, you can use this option to block certain remote IP addresses
  from initiating a VPN session to the ASA by blocking ISAKMP. Any
  traffic originated from or destined to the ASA, itself, requires that you
  use the access-group command with the control-plane keyword.

• I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list.

  I have a 3rd generation iPod Touch and just did the update to IOS 5. Now I can't connect to my Netgear wifi router. My iPhone connects fine along with all of my other laptops etc. I have the router set with WPA-PSK [TKIP] security and an access list. I've confirmed the mac address is included on that list and that the password is correct. Under choses netwrok I select the network and it just goes into a spin. I have tried removing the password and the access list settings and it still will not complete the connection to the router thus no internet access. The routers firmware is also up to date. This thing worked fine before this update and I've already tried to restore from backup. Any ideas or is the wifi nic bad in this thing with the new apple firmware update? Any fix?

  Thanks Bob, I don't know why but it all of a sudden worked a few days later. It's a mystery but at least problem solved.

• I can no longer access listing variations in Ebay after the upgrade

  After upgrading my Firefox on 3.01.2012 I can no longer access listing variations or change prices on these Ebay listings. Other edits within the site seem unaffected.

  Well, just imported all of my settings into Google Chrome. Been nice knowing you Firefox.

• I have edit access to someone else's calendar.  In iCloud i can add an event to this calender.  In My calendar on my Mac I can see the calendar in the list, but when I try to add an event to this calendar, it is not avail from the list in event to select

  I have edit access to someone else's calendar.  In iCloud i can add an event to this calender.  In My calendar on my Mac I can see the calendar in the list, but when I try to add an event to this calendar, it is not avail from the list in event to select.  Any help appreciated.  Thanks

  Hi Chris,
  You can't get rid of an alert. The least you can have is one that says "none".
  Nevermind, I see you learned how to edit the event.

• How many MAC-Address entries can an access-list (AIR1200) handle

  Hi all
  I got a couple of accesspoint AP1231G with a MAC-Filter configured.
  Now I'm curios if the access-list has a maximal mac-address limitation.
  At the moment there are about 130 MAC-address and couple of clients have sometimes trouble to get connected.
  Any hints?
  Thanks,
  Norbert

  I was referring to the autonomous AP database size.
  The default size of the database for the controller is different depending on verion.