What is CLISA?
CLISA is a Syslog Analyzer designed to support and help network administrators identify blocks (Deny entries) that have occurred on PIX firewalls.
I wrote CLISA for my own personal use as I look after a lot of PIX firewalls and one of the first things that needs to be done before opening a port for someone, is to identify if they are been blocked by the firewall in the first place. Often the reason a user is not able to connect to a particular resource is due to Routing, IP address issues, Subnet Mask, Default Gateway, and of course the fact that the port is not even open on the destination machine.
Trying to look through hundreds of MB of Syslog data is tiresome and certainly not fun. Granted there are tons of products on the market designed to monitor and analyze Syslog messages, however most of them didn’t give me the results I was looking for, or the products were relatively expensive. It was at this point that CLISA was born with version 1.0.0 and over time new features and functions have been included.
What does CLISA do?
CLISA will run through your entire Syslog file looking for information that you have specified in the query. It will then give you the result in Summary format showing you how many times a DENY event has occurred on the PIX firewall you have chosen to analyze. You can then ask to see a full report which will show you each and every occurrence of denies based on your query.
What is required to run CLISA?
CLISA is designed to be run on a Windows platform. It was programmed almost entirely in batch script. Although there are not many requirements to run CLISA failure to have any of the below mentioned will result in CILSA not running, or not returning the desired results.
1/ Syslog Format must be in “Kiwi format ISO yyyy-mm-dd (Tab delimited)” format or equivalent.
2/ Your PIX Firewall must timestamp the events
3/ Your Syslog server must NOT strip off the Cisco timestamp
4/ Internet connection is required*
5/ Windows based O/S **
*As CLISA is a freeware product and I don’t ever intend charging for it. The only thing I request is that when CLISA is run, a small file (Less than 5bytes –which is less data than ping uses by default) is downloaded from my website. This is for two reasons…
1/ For me to identify how many times CILSA is used so I don’t waste my time adding updates that people “might” want, if no-one is using it in the first place
2/ The file contains the current version number of CLISA and will notify you if a new version is available for download.
At NO time will CLISA send any data whatsoever to anyone, EVER! So you can rest assured that your data and records in your Syslog files are safe and secure.
** CLISA has currently been tested on the following Windows Operating Systems
– Windows XP
– Windows 2000
– Windows 2003
– Windows Vista
– Windows 7
1/ Analyze PIX Syslog files for Deny statements
2/ Summarizes events for easy identification of blocks and denies (with Hit Count)
3/ Full queries to show each Block and Deny that has occurred, with time stamp
4/ Save Summary and Full Queries to file
5/ E-mail Summary and Full Queries
6/ Support for 10 PIX Firewall IP addresses to be analyzed
In all of our test, results were produced from a 515MB Syslog file in between 25 – 45 seconds, depending on which option was selected for analysis
V1.1.0 – First Release
V1.2.0 – Added E-mail support
– Added Save feature for Queries
v1.3.0 – Increased speed of queries (60% faster)
v1.4.0 – Now supports 10 firewalls