I'm not very familiar with firewall log files, or many of the terms involved in server connections. The lines in question involve a foreign, unauthorized IP interacting with a firewall (Cisco ASA 5520) over several months. What generally do the following terms deal with: FINs, Failover primary close, SYN Timeout, FIN Timeout, Teardown TCP connection, Deny tcp src? And does "Built inbound/outbound connection" actually mean that the IP address was successful in passing through the firewall, or just that it is part of the whole 'handshake' phase of connections (I suspect the latter but I'd like to be safe)? Some sample lines from the log file would be:
Teardown TCP connection for outside:* to webservers:* duration * TCP FINs
Teardown TCP connection for outside:* to webservers:* duration * Failover primary close
Teardown TCP connection for outside:* to filtering:* duration * SYN Timeout
Built inbound TCP connection for outside:* to webservers:*
Built outbound TCP connection for outside:* to filtering:*
Built inbound TCP connection for outside:* to public:*
Deny tcp src outside:* dst public:* by access-group "outside"
Inbound TCP connection denied from * to * flags SYN on interface outside
Teardown TCP connection for outside:* to public:* duration * FIN Timeout
If anybody could point me in the right direction or provide any help, I would very much appreciate it. I'm just looking for that first leg up onto figuring this thing out. Thanks!
Best Answer
"Your questions should be reasonably scoped. If you can imagine an entire book that answers your question, you’re asking too much."
The below information might help you along, but understanding the "why" and having experience knowing what is taking place is going to be crucial to determine whether the traffic is legitimate or not.