net report configuration guide for cisco pix...

1/62 Copyright © 2004 Net Report. All rights reserved. http://www.net-report.net

Net Report Cisco PIX Configuration Guide

for Cisco PIX Firewalls Versions 6.2 and 6.3

http://www.net-report.net


Table of Contents

About This Document............................................................................4 Purpose ................................................................................................... 4 Technical Specifications.............................................................................. 4 Audience.................................................................................................. 4 Related Information................................................................................... 4 Key Configuration Rules ............................................................................. 4 Two Configuration Solutions to Choose Between ............................................ 6 Net Report and Cisco Version-Specific Information ......................................... 6

Section 1: Introducing General Required Configuration Guidelines ....7 1.1. General Guidelines for Configuring Cisco PIX for Net Report................. 7 1.2. Listing Cisco PIX Messages Treated by Net Report............................ 13 1.3. Reading Cisco PIX and Catalyst System Log Messages ...................... 14 1.4. Syslog Messages for Cisco PIX....................................................... 16 1.5. Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 .......................... 17 1.6. Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3 ................................................................ 20

Section 2: Configuration Solution 1: Suppressing Syslog IDs ...........21 2.1. Introduction ............................................................................... 21 2.2. Launching Cisco PIX Device Manager 3.0 ........................................ 22 2.3. Selecting Syslog Messages for Suppression ..................................... 23 2.4. Suppressing Syslog Messages ....................................................... 26 2.5. Viewing Syslog IDs Suppressed via the Command Line Interface........ 28 2.6. Including Timestamp & Modifying Advanced Syslog Configuration....... 30 2.7. Viewing The Advanced Syslog Configuration Modifications ................. 33

Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages’ Levels ....................................................................35

3.1. Modifying Net Report Treated Messages’ Level via PIX Device Manager36 3.2. Viewing The Syslog Messages’ Level Modifications............................ 39 3.3. Modifying Syslog Severity Level Threshold, Including Timestamp & IP. 41 3.4. Viewing The Severity Threshold & Timestamp Modifications ............... 44

Appendices ..................................................................................46

Appendix A............................................................................................. 48 A.1 Introduction...................................................................................... 48



A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and 6.3............ 48 A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and 2.3 ............................. 49 Appendix B............................................................................................. 61 B.1 Introduction...................................................................................... 61 B.2 Error Messages Specific to Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 & 2.3.............................................................. 61 Contacting Net Report.............................................................................. 62



About This Document Purpose

This Net Report Cisco PIX Configuration Guide explains how to configure Cisco PIX Firewalls Versions 6.2 and 6.3 and Cisco Catalyst versions 2.2 and 2.3 for Net Report.

Note: this document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3.

Technical Specifications

The guidelines given in this document are applicable to the Cisco PIX Device Manager (PDM) version 3.0. The Cisco PIX Device Manager is a browser-based configuration tool designed to help you set up, configure and monitor your PIX Firewall graphically.

Audience

This document addresses both basic and advanced Net Report users. This Guide is also written for System Administrators who are responsible for maintaining network security. It assumes you have a basic understanding and a working knowledge of:

• Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3.

• System Administration. • Unix or Windows Operating Systems. • Windows GUI. Internet protocols (IP, TCP, UDP and so on). Related Information

Please read the following documents which are related to Net Report’s technical documentation:

Copyright Notice:

http://www.net-report.net/downloads/WebDoc/Copyright/Net_Report_Copyright_Notice.pdf

Code and Icon Conventions:

http://www.net-report.net/downloads/WebDoc/Conventions/Net_Report_Code_and_Icon_Conventions.pdf

Online Help:

http://www.net-report.net/us/support/sup_userhelp.html

Troubleshooting:

http://www.net-report.net/us/OurDocuments/NRFAQs.htm

Glossary:

http://www.net-report.net/knowledgebase/UserHelp/16_Net_Report_Glossary/Net_Report_Glossary_2.0.1.htm

Key Configuration Rules

http://www.net-report.net/downloads/WebDoc/Copyright/Net_Report_Copyright_Notice.pdfhttp://www.net-report.net/downloads/WebDoc/Conventions/Net_Report_Code_and_Icon_Conventions.pdfhttp://www.net-report.net/us/support/sup_userhelp.htmlhttp://www.net-report.net/us/OurDocuments/NRFAQs.htmhttp://www.net-report.net/knowledgebase/UserHelp/16_Net_Report_Glossary/Net_Report_Glossary_2.0.1.htmhttp://www.net-report.net


For Net Report to treat your Syslog Messages and Flat Files, please note the following general key points:

It is mandatory to check the Include Timestamp check box in the PIX Device Manager, to ensure that the Timestamp (date and time) is added to the beginning of each message.

1. If you want Net Report to analyze the Flat File, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi,

a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside

b. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): 2005-02-15 08:06:10 UTC,Local4.Info,192.168.1.1,Feb 15 2005 09:04:04 192.168.1.1 : %PIX-6-302013: Built outbound TCP connection 8893 for outside:217.12.2.76/80 (217.12.2.76/80) to inside:192.168.1.2/2902 (192.168.0.84/2902)



Two Configuration Solutions to Choose Between

This document explains how to reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information.

Note: if you want Net Report to treat your Syslog Messages directly then you do not necessarily need to apply either Configuration Solution 1 or 2. However, doing so will improve the performance of Net Report’s treatment. The document proposes two Configuration Solutions. Please choose the solution which is the most appropriate for your company’s IT Security Policy:

Configuration Solution 1: Reduce the Number of Syslog Messages Written in the Flat Files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM).

Configuration Solution 2: Specify the Severity Level Threshold and Modify Certain Messages’ Severity Levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3.

Important: if you want to use Cisco PIX with Oracle, please see: Knowledge Base Article 58.

Net Report and Cisco Version-Specific Information

This document applies to Syslog messages for Cisco PIX Firewall Version 6.2 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3. Messages from versions prior to these versions are considered beyond the scope of this document and are not supported by Net Report 3.12 and later. Please read Section 1 before continuing with either Configuration Solution 1 or Configuration Solution 2.



Section 1: Introducing General Required Configuration Guidelines

1.1. General Guidelines for Configuring Cisco PIX for Net Report To configure Cisco PIX for Net Report it is important to note the following five essential configuration rules:

Include the Syslog Message Timestamp Parse Syslog Messages to Specific Flat File Formats Reduce the Number of Syslog Messages Analyzed by Net Report Associate an IP Address with a Hostname Choose between Two Different Configuration Solutions



Five General Configuration Rules for Configuring Cisco PIX for Net Report 1. Include the Syslog Message Timestamp: all System Log Messages to be treated

by Net Report must be prefixed by the Timestamp and then the Firewall IP Address. Check the Include Timestamp check box in the PIX Device Manager. This adds the Timestamp prefix to the beginning of the Syslog message indicating what time the event occurred.

2. Export Syslog Messages to Specific Flat File Formats: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, two examples of logs generated via Kiwi,

a. The first log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited)



b. Net Report parses the Syslog Message itself (in bold in this example,

indicated in green font in the screen shot below): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside

c. The second log is parsed with the format: Comma Separated Values UTC yyyy-mm-dd (CSV): Net Report parses the Syslog message itself (in bold in this example): 2005-02-15 08:06:10 UTC,Local4.Info,192.168.1.1,Feb 15 2005 09:04:04 192.168.1.1 : %PIX-6-302013: Built outbound TCP connection 8893 for outside:217.12.2.76/80 (217.12.2.76/80) to inside:192.168.1.2/2902 (192.168.0.84/2902)

3. Reduce the Number of Syslog Messages Analyzed by Net Report: to improve

performance, reduce the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information. This document presents two solutions for reducing the number of Syslog (System Log) messages written in the Flat Files parsed by Net Report to avoid a potential loss of information.

4. Associate an IP Address with a Hostname: certain Cisco PIX messages (notably Message 106023) provide a hostname for the source/destination (instead of an IP Address) which is associated with an IP Address in the Pix Device Manager. These messages must be modified to associate the Hostname with the IP Address to obtain the correct data for the Cisco PIX statistics. Net Report recommend either associating the hostname to the IP addresses defined in the PIX Device Manager, or activating and correctly defining the RDNS function (which associates an IP with a hostname) for the IP Addresses concerned. Please note and example the first solution we recommend, that is associating a hostname with an IP Address via the PIX Device Manager:



i. Select Configuration> Hosts/Networks in the PIX Device Manager.

ii. Select inside: any> [IP] > [IP Address] in the left Hosts/Networks pane. Double-click the IP Address to modify. The Edit host/network dialog box appears.

iii. Select the Basic information tab.

iv. Enter the Hostname you want to associate with the IP Address in the Name (Recommended) field. In this example, your_hostname.

v. Click OK. The Hostname appears to the left of the IP Address you modified in the left Hosts/Networks pane. In this example your_hostname [IP Address]



5. Choose between Two Different Configuration Solutions: please note the

information in Section 1 concerning the Cisco PIX messages treated by Net Report before moving on to choose either Configuration Solution 1 (see Section 2) or Configuration Solution 2 (see Section 3) to configure Cisco PIX for Net Report. Net Report treat a certain number of Syslog Messages, the list of these messages is included in this section. The exhaustive descriptions of each Syslog Message treated by Net Report are included at the end of this document.



Two Syslog Message Configuration Solutions to Choose between The document proposes two solutions. Please choose the solution which is the most appropriate for your company’s IT Security Policy: Either

Solution 1: Reduce the number of Syslog Messages written in the flat files: strictly to those which are treated by Net Report via Cisco PIX Device Manager 3.0 (PDM). See Section 2.

Or:

Solution 2: Specify the severity level threshold and modify certain messages’ severity levels: in the Cisco PIX Device Manager 3.0 to Level 3, to indicate which Syslog messages can be sent to the flat file for treatment by Net Report. The level you specify (i.e. level 3 = error) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent. However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 5 will be modified to ensure that the Logging level is changed to Logging level 3. See Section 3.



1.2. Listing Cisco PIX Messages Treated by Net Report The System Log messages in this section apply to Cisco PIX Firewall Version 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2, 2.3 and Net Report Cisco PIX Net Report 3.12 and later. Please see Article 59 for the exhaustive list of Cisco PIX and Catalyst System Log messages supported by Net Report.

Net Report supports the following System Log Messages: System Log Messages specific to Cisco PIX Firewall Versions 6.2 and 6.3 (please

see Section 1.1). System Log Messages for both Cisco PIX Firewall Versions 6.2 and 6.3 and Cisco

Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.2).

System Log Messages specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 (please see Section 1.3).

Note: neither Cisco PIX nor Cisco Firewall Services Module do not send severity 0,

emergency messages to Syslog. These are comparable to a UNIX panic message and indicate an unstable system.



1.3. Reading Cisco PIX and Catalyst System Log Messages

System log messages received at a Syslog server for treatment by Net Report begin with the Timestamp are followed Firewall IP Address and then a percent sign (%). The messages are structured as follows:

[Timestamp] [Firewall_IP_Address]:%[PIX][FWSM] – Level – Message_number:

Timestamp: identifies the time the event occurred. For Net Report, you must check the Include Timestamp Check Box (select Configuration> Syslog Properties, then Logging> Syslog in the Categories pane and select the Include Timestamp).

Firewall_IP_Address: identifies the Firewall IP Address. Please see the following sub-sections for more information.

PIX: identifies the message facility code for messages generated by the PIX Firewall.

FWSM: identifies the message facility code for messages generated by the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module System.

Level: reflects the severity of the condition described by the message. The lower the number the more severe the condition/ Logging is set to level 3 (error) by default.

Message_number: is the numeric code that uniquely identifies the message.

message_text: is a text string describing the condition. This portion of the message sometimes includes IP addresses, port numbers or user names.

Important: it is mandatory to check the Include Timestamp check box in the PIX Device Manager (please see Section 1.1).

Note: if you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified. For example, an example of a log generated via Kiwi.

Flat File Format Example: the log is parsed with the format: Kiwi Format ISO yyyy-mm-dd (Tab delimited) Net Report parses the Syslog message itself (in bold in this example): 2005-02-02 17:59:46 Local4.Info 192.168.1.1 Feb 02 2005 09:52:40: %PIX-6-106015: Deny TCP (no connection) from 192.168.1.3/1206 to 192.168.0.201/1070 flags PSH ACK on interface inside



Cisco PIX Level Description Table

The table below defines the Keyword and Description associated with each Cisco PIX Level Number, as defined by Cisco Systems.

Level Number Level Keyword Description 1 Alert Immediate action needed.

2 Critical Critical condition.

3 Error Error condition.

4 Warning Warning condition.

5 Notification Normal but signifiant condition.

6 Informational Informational message only.

7 Debugging Appears during debugging only.



1.4. Syslog Messages for Cisco PIX Syslog Message Number

Default Error Message Severity Level & Keyword

710006 %PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address

7 = debugging

* All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.

** If you want Net Report to analyze your Flat Files, then the Flat File must correspond to the Syslog Message (in its default form with the Timestamp data prefix). That is, the message itself must not be modified.



1.5. Syslog Messages for Cisco PIX Firewall 6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3

Syslog Message Number


106001 %PIX-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

2 = critical

106002 %PIX-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address

2 = critical

106006 %PIX-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.

2 = critical

106007 %PIX-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.

2 = critical

106010 %PIX-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

3 = error

106012 %PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.

2 = critical

106013 %PIX-2-106013: Dropping echo request from IP_address to PAT address IP_address

2 = critical

106014 %PIX-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)

3 = error

106015 %PIX-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

6 = informational

106016 %PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

2 = critical

106017 %PIX-2-106017: Deny IP due to Land Attack from IP_address to IP_address

2 = critical

106018 %PIX-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address

2 = critical

106020 %PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address

2 = critical

106021 %PIX-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name

1 = alert

106022 %PIX-1-106022: Deny protocol connection spoof from 1 = alert



source_address to dest_address on interface interface_name

106023 %PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID

4 = warning

302009 %PIX-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port

6 = informational

302013 %PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)]

6 = informational

302014 %PIX-6-302014: Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)]

6 = informational

302015 %PIX-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port)[(user)]

6 = informational

302016 %PIX-6-302016: Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)]

6 = informational

3013001 %PIX-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_name

3 = error

500003 %PIX-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name

5 = notification

500004 %PIX-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port

4 = warning

710003 %PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service

3 = error

710005 %PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service

7 = debugging



* All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.




1.6. Syslog Messages for Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall 2.2 & 2.3

Syslog Message Number


302020 %FWSM-6-302020: Built {in ⎢out}bound ICMP connection for faddr {faddr ⎢ icmp_seq_num } gaddr {gaddr ⎢ cmp_type} laddr laddr

6 = informational

3013004 %FWSM-4-313004:Denied ICMP type=icmp_type, from src_IP_address on interface intf_name to dest_IP_address:no matching session

4 = warning

*All System Log Messages to be treated by Net Report must be prefixed by the Timestamp and then the Firewall IP Address.


*** FWSM: Firewall Services Module System



Section 2: Configuration Solution 1: Suppressing Syslog IDs

2.1. Introduction

Please follow the steps below to reduce the number of Syslog messages sent to the output location:

2.2: Launching Cisco PIX Device Manager 3.0.

2.3: Selecting Syslog Messages for Suppression.

2.4: Suppressing Syslog Messages that are not treated by Net Report.

2.5: Viewing Syslog Messages that were suppressed, via the Command Line Interface.

2.6: Including a Timestamp in Syslog Messages & Modifying Advanced Syslog Configuration.

2.7: Viewing Modifications Made to the Advanced Syslog Configuration via the Command Line Interface.




2.2. Launching Cisco PIX Device Manager 3.0 Steps

Use a PC connected to one of the PIX Firewall switch ports and enter the URL https://192.168.1.1/pdm.html

Either leave both the Username and Password dialog boxes empty or enter your password.

Press Enter.

Accept the certificates, click Authorize.

Enter your Network Password. Click Yes. The Cisco PIX Device Manager 3.0 console appears.

https://192.168.1.1/pdm.htmlhttp://www.net-report.net


2.3. Selecting Syslog Messages for Suppression

Solution 1 explains how to suppress those Syslog messages which are not treated by Net Report in order to reduce the volume of Syslog messages treated. The following steps therefore explain how to select the messages which Net Report does not treat and then how to suppress these messages.

Steps

Select Configuration> System Properties. The System Properties tab appears in the central pane.



Select Logging> Setup in the left Categories pane.

Note the Logging Setup parameters appears in the System Properties tab’s Logging Setup pane.

Select the Enable logging check box and View all Syslog IDs in the Syslog ID Table View drop-down list.

Select all the Syslog IDs in the Syslog ID list with the mouse. All the Syslog IDs will be highlighted in white.

Press Ctrl and click with the mouse on those Syslog IDs supported by Net Report to clear them (the rows selected will become grey) – clear the following Syslog IDs: 106001 , 106002, 106007, 106010, 106012, 106013, 106014, 106015, 106016, 106017, 106018, 106020, 106021, 106022, 106023, 302009, 302013, 302014, 302015, 302016, 313001, 500003, 500004, 710003, 710005, 710006.



Note: the Syslog IDs listed above will return to grey when you clear their selection.

Click Edit. The Edit dialog box appears.



2.4. Suppressing Syslog Messages Steps

Note the Syslog IDs you selected to be suppressed in the previous Logging Setup pane in the Syslog ID(s) box.

Select the Suppress Message(s) check box.

Click OK. The Logging Setup tab appears.



Click Apply. The Status message appears.

Select View suppressed Syslog IDs only in the System Properties tab’s Syslog ID Table View drop-down list, to view the list of Syslog IDs you suppressed.



2.5. Viewing Syslog IDs Suppressed via the Command Line Interface To view the Syslog IDs you suppressed via the Command Line Interface, please follow the steps below: Steps

1. Select Tools> Command Line Interface… The Command Line Interface dialog box appears.



2. Enter the following Command in the Command field: show running-config

3. Click Send. 4. Note the Response in the lower half of the Command Line Interface dialog

box. All the Syslog IDs you suppressed in the Logging Setup pane and Edit dialog box appear as follows: no logging message [SyslogID]

5. Click Close.



2.6. Including Timestamp & Modifying Advanced Syslog Configuration

To include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below.

Steps

Select Configuration> System Properties, the System Properties tab appears.

Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab.

Ensure the Include Timestamp check box is selected.

Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is “logging timestamp” or “set logging timestamp enable”. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable.



Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps

Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation.

Click Advanced… The Advanced Syslog Configuration dialog box appears.

Select the Enable Syslog Device ID check box.

Select the IP Address option button along with the Interface Name you want to appear in the Syslog message.

Click OK.




2.7. Viewing The Advanced Syslog Configuration Modifications

Steps

1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears.




3. Click Send.

4. Note the Response in the lower half of the Command Line Interface dialog box, notably “logging timestamp”.

Status: Configuration Solution 1 has been successfully accomplished. You have suppressed the Syslog IDs that Net Report does not treat and ensured that only those Syslog Messages which Net Report treats will be written in the flat file.



Section 3: Configuration Solution 2: Modifying Severity Threshold & Certain Messages’ Levels

Introduction

Solution 2 specifies the severity level threshold in the Cisco PIX Device Manager 3.0 to Level 3 (error), to indicate which Syslog messages can be sent to the flat file for treatment by Net Report.


The level you specify (i.e. level 3) causes the PIX firewall to only send messages of that level or lower to the output location (i.e. levels 1-3). For example, if you specify severity level 3 as the Severity Level Threshold, then the PIX Firewall sends severity level 1, 2, 3 messages to the output location. This limits the number of messages sent.

However, you must ensure that the severity level of those Syslog messages treated by Net Report which are higher than the severity level threshold specified are modified to the severity level threshold you defined, to ensure that they are sent to the output location. For example a message treated by Net Report with a Logging level of 6 will be modified to ensure that the Logging level is changed to Logging level 3.

Contents

The following tasks will be explained and must be followed in the following order:

3.1: Modifying the logging level of Syslog Messages treated by Net Report via the PIX Device Manager

3.2: Viewing the Syslog Messages’ Level Modifications via the Command Line Interface.

3.3: Modifying the Syslog Severity Level Threshold, Including the Timestamp and Firewall IP Address.

3.4: Viewing the Severity Level Threshold, Timestamp and Advanced Syslog Configuration Modifications via the Command Line Interface.



3.1. Modifying Net Report Treated Messages’ Level via PIX Device Manager

To modify the level of those messages which Net Report treats which are Level 4-7 to Level 3, please follow the steps below:

Steps

Select Configuration> System Properties. The System Properties tab appears.

Select Logging> Logging Setup in the left Categories pane. The Logging Setup pane appears.

Select View all syslog IDs in the Syslog ID Table View drop-down list.

Select the Syslog IDs for those Syslog Messages treated by Net Report with levels 4-7 in the Syslog list: 106015, 106023, 302009, 302013, 302014, 302015, 302016, 500003, 500004, 710005, 710006.



Note that the Syslog IDs selected will appear highlighted in white.

Click Edit. The Edit dialog box appears. Note the Syslog IDs you selected in the previous Logging Setup pane appear in the Syslog ID(s) field.

Select Errors in the Logging Level drop-down list.

Click OK. The Logging Setup pane reappears.



3.2. Viewing The Syslog Messages’ Level Modifications Steps

Select Tools> Command Line Interface. The Command Line Interface dialog box appears.




2. Click Send.

Note the Response in the lower half of the Command Line Interface dialog box. Indicating that the level of those Syslog Messages treated by Net Report with level 4 – 7 have been successfully modified to level 3 – “errors”. With the Response: logging message [SyslogID] level errors



3.3. Modifying Syslog Severity Level Threshold, Including Timestamp & IP

To modify the Syslog Severity Level Threshold from the default Debugging level to the new threshold level 3 (error), include the Timestamp and Firewall IP Address in Syslog Messages, please follow the steps below.

Steps

Select Configuration> System Properties, the System Properties tab appears.

Select Logging> Syslog in the left Categories pane. The Syslog Pane appears in the System Properties tab.

Select Errors in the Level drop-down list.

Ensure the Include Timestamp check box is selected.



Note: the Cisco PIX device must be configured to Include Timestamp in the log packets sent to the Syslog server (Net Report Syslog Agent). The corresponding configuration command is “logging timestamp” or “set logging timestamp enable”. Alternatively, enter the corresponding configuration command: logging timestamp or set logging timestamp enable.

Note: in Cisco PIX 4.3.x and Later, you can avoid having particular syslog messages sent, and you can timestamp messages that are sent. This results in having all messages sent with timestamps

Note: the Net Report Syslog Agent does not access, connect or send anything on the port 514. The Net Report Syslog Agent works in the other direction. The Net Report Syslog Agent listens on port 514, and the Cisco PIX Firewall must be configured to send packets to the Syslog Agent. Check on your Cisco PIX Firewall configuration that you have a rule that enables this situation.

Click Advanced… The Advanced Syslog Configuration dialog box appears.

Select the Enable Syslog Device ID check box.



Select the IP Address option button along with the Interface Name you want to appear in the Syslog message.

Click OK.




3.4. Viewing The Severity Threshold & Timestamp Modifications

Steps

1. Select Tools> Command Line Interface. The Command Line Interface dialog box appears.




6. Click Send.

7. Note the Response in the lower half of the Command Line Interface dialog box, notably “logging timestamp” and “logging trap errors”.

Status: Configuration Solution 2 has been successfully accomplished!



Appendices



This Lexicon comprises the following two sections:

Appendix A: The List of Cisco PIX versions 6.2 and 6.3 and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report

Appendix B: List of Error Messages Only Concerning Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall versions 2.2, 2.3 Error Messages Treated by Net Report.



Appendix A

A.1 Introduction

The messages shown in this Lexicon, apply to Cisco PIX Firewall Version 6.2 and 6.3 and higher and Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3. Please note that the Explanations given below follow the official explanations given by Cisco Systems. Those Error Messages which are specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 are explained in Section 2. A.2 Error Messages Specific to Cisco PIX Firewall Versions 6.2 and 6.3

710006

Error Message

%PIX-7-710006: protocol request discarded from source_address to interface_name:dest_address

Explanation

This message appears when the firewall does not have an IP server that services the IP protocol request; for example, the firewall receives IP packets that are not TCP or UDP, and the firewall cannot service the request.

Recommended Action

In networks that heavily use multicasting, the frequency of this message can be high. If this message appears in an excessive number, it may indicate an attack.



A. 3 Error Messages for Cisco PIX Firewall V.6.2, 6.3 & Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 and 2.3

106001

Error Message %PIX-2-106001: Inbound TCP connection denied from IP_address/port to IP_address/port flags tcp_flags on interface interface_name

Explanation

This is a connection-related message. This message occurs when an attempt to connect to an inside address is denied by your security policy. Possible tcp_flags values correspond to the flags in the TCP header that were present when the connection was denied. For example, a TCP packet arrived for which no connection state exists in the PIX Firewall, and it as dropped. The tcp_flags in this packet were FIN and ACK.

The tcp_flags are as follows:

ACK – The acknowledgement number was received.

FIN – Data was sent.

PSH – The receiver passed data to the application.

RST – The connection was reset.

SYN – Sequence numbers were synchronized to start a connection.

URG – The urgent pointer was declared valid.

106002

Error Message

%PIX-2-106002: protocol Connection denied by outbound list acl_ID src inside_address dest outside_address

Explanation

This is a connection-related message. This message is logged if the specified connection fails because of an outbound deny command statement. The protocol variable can be ICMP, TCP or UDP.

Recommended Action

Use the show outbound command to check outbound lists.

106006

Error Message

%PIX-2-106006: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port on interface interface_name.



Explanation

This is a connection-related message. This message is logged if an inbound UDP packet is denied by your security policy.

106007

Error Message

%PIX-2-106007: Deny inbound UDP from outside_address/outside_port to inside_address/inside_port due to DNS {Response|Query}.

Explanation

This is a connection-related message. This message is logged if a UDP packet containing a DNS query or response is denied.

Recommended Action

If the inside port number is 53, it is likely that the inside host is set up as a caching nameserver. Add an access-list command statement to permit traffic on UDP port 53. If the outside port number is 53, the most probable cause is that a DNS server was too slow to respond and the query was answered by another server.

106010

Error Message

%PIX-3-106010: Deny inbound protocol src interface_name:dest_address/dest_port dst interface_name:source_address/source_port

Explanation

This is a connection-related message. This message is logged if an inbound connection is denied by your security policy.

Recommended Action

Modify the security policy if traffic should be permitted. If the message occurs at regular intervals, contact the remote peer administrator.

106012

Error Message

%PIX-2-106012: Deny IP from IP_address to IP_address, IP options hex.

Explanation



This is a packet integrity check message. An IP packet was seen with IP options. Because IP options are considered a security risk, the packet was discarded.

Recommended Action

Contact the remote host system administrator to determine the problem. Check the local site for loose source or strict source routing.

106013

Error Message

%PIX-2-106013: Dropping echo request from IP_address to PAT address IP_address

Explanation

This message is logged when the firewall discards an inbound ICMP Echo Request packet with a destination address that corresponds to a PAT global address. It is discarded because the inbound packet cannot specify which PAT host should receive the packet.

106014

Error Message

%PIX-3-106014: Deny inbound icmp src interface_name: IP_address dst interface_name: IP_address (type dec, code dec)

Explanation

This message is logged when the firewall denies any inbound ICMP packet access. By default, all ICMP packets are denied access unless specifically permitted using the conduit permit icmp command. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.

106015

Error Message

%PIX-6-106015: Deny TCP (no connection) from IP_address/port to IP_address/port flags tcp_flags on interface interface_name.

Explanation

This message is logged when the firewall discards a TCP packet that has no associated connection in the firewall unit’s connection table. The firewall looks for a SYN flag in the packet, which indicates a request to establish a new connection. If the SYN flag is not set, and there is not an existing connection, the firewall discards the packet.

Recommended Action



None required, unless the firewall receives a large volume of these invalid TCP packets. If this is the case, trace the packets to the source and determine the reason these packets were sent.

106016

Error Message

%PIX-2-106016: Deny IP spoof from (IP_address) to IP_address on interface interface_name.

Explanation

This message is logged when the firewall discards a packet with an invalid source address. Invalid source addresses are those addresses belonging to the following:

Loopback network (127.0.0.0)

Broadcast (limited, net-directed, subnet-directed, and all subnets-directed)

The destination hosts (land.c)

If the sysopt connection enforcesubnet command is enabled, PIX Firewall discards packets with a source address belonging to the destination subnet from traversing the firewall and logs this message.

To enhance spoof packet detection, use the conduit command to configure the firewall to discard packets with source addresses belonging to the internal network. Now that the icmp command has been implemented, the conduit command has been deprecated and is no longer guaranteed to work properly.

Recommended Action

Determine if an external user is trying to compromise the protected network. Check for misconfigured clients.



106017

Error Message

%PIX-2-106017: Deny IP due to Land Attack from IP_address to IP_address

Explanation

This message appears when the firewall receives a packet with the IP source address equal to the IP destination and the destination port equal to the source port. This indicates a spoofed packet designed to attack systems. This attack is referred to as a Land Attack.

Recommended Action

If this message persists, an attack may be in progress. The packet does not provide enough information to determine where the attack originates.

106018

Error Message

%PIX-2-106018: ICMP packet type ICMP_type denied by outbound list acl_ID src inside_address dest outside_address

Explanation

This message is logged because the outgoing ICMP packet with type ICMP_type from local host inside_address to foreign host outside_address is denied by outbound list acl_ID.

106020

Error Message

%PIX-2-106020: Deny IP teardrop fragment (size = number, offset = number) from IP_address to IP_address

Explanation

The firewall discarded an IP packet with teardrop signature containing either a small offset or fragment overlapping. This is a hostile event to circumvent the firewall or an Intrusion Detection System.

Recommended Action

Contact the remote peer administrator or escalate this issue according to your security policy.

106021



Error Message

%PIX-1-106021: Deny protocol reverse path check from source_address to dest_address on interface interface_name

Explanation

Someone is attempting to spoof an IP address on an inbound connection. Unicast Reverse Path Forwarding (Unicast RPF), also known as reverse route lookup, detected a packet that does not have a source address represented by a route and assumes that it is part of an attack on your firewall.

Recommended Action

This message appears when you have enabled Unicast Reverse Path Forwarding with the ip verify reverse-path command. This feature works on packets input to an interface; if it is configured on the outside, then the firewall checks packets arriving from the outside.

The firewall looks up a route based on the source_address. If an entry is not found and a route is not defined, then this Syslog message appears and the connection is dropped.

If there is a route, the firewall checks which interface it corresponds to. If the packet arrived on another interface, it is either a spoof or there is an asymmetric routing environment that has more than one path to a destination. The firewall does not support asymmetric routing.

If configured on an internal interface, the firewall checks static route command statements or RIP and if the source_address is not found, then an internal user is spoofing their address.

An attack is in progress. With this feature enabled, no user action is required. The firewall repels the attack.

106022

Error Message

%PIX-1-106022: Deny protocol connection spoof from source_address to dest_address on interface interface_name

Explanation

This message only appears if a connection exists and a packet matching the connection arrives on a different interface than the interface the connection began on. For example, if a user starts a connection on the inside interface, but the firewall detects the same connection arriving on a perimeter interface, the firewall has more than one path to a destination. This is known as asymmetric routing and is not supported don the firewall.



Alternatively, an attacker is attempting to append packets from one connection to another as a means of breaking into the firewall. In either case, the firewall displays this message and drops the connection.

Recommended Action

This message appears when the ip verify reverse-path command is not configured. Ensure routing is not asymmetric.

106023

Error Message

%PIX-4-106023: Deny protocol src [interface_name:source_address/source_port] dst interface_name:dest_address/dest_port [type {string}, code {code}] by access_group acl_ID

Explanation

An IP packet was denied by the ACL. This message will be displayed even if you do not have the log option enabled for an ACL.

Recommended Action

If messages persist from the same source address, then the messages could indicate a foot printing or port scanning attempt. Contact the remote host administrators.



302009

Error Message

%PIX-6-302009: Rebuilt TCP connection number for foreign_address outside_address/outside_port lobal_address lobal_address/global_port local_address inside_address/inside_port

Explanation

This is a connection-related message. This message appears after a TCP connection is rebuilt after a failover. A sync packet is not sent to the other PIX Firewall. The outside_address IP address is the foreign host, the global_address IP address is a global address on the lower security level interface, and the inside_address IP address is the local IP address “behind” the PIX Firewall on the higher security level interface.

302013

Error Message

%PIX-6-302013: Built {inbound|outbound} TCP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to interface_name:real_address/real_port (mapped_address/mapped_port) (user)]

Explanation

A TCP connection slot between two hosts was created.

Where:

connection number is a unique identifier.

interface, real_address, real_port identify the actual sockets.

mapped_address, mapped_port identify the mapped sockets.

user is the AAA name of the user.

If inbound is specified, then the original control connection was initiated from the outside. For example, for FTP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection was initiated from the inside.

302014

Error Message

%PIX-6-302014: Teardown TCP connection number for interface_name:real_address/real_port to interface_name:real_address/real_port duration time bytes number [reason] [(user)]



Explanation

A TCP connection between two hosts was deleted.

Where:



time is the lifetime of the connection

bytes number is the data transfer of the connection

user is the AAA name of the user

The reason variable presents the action that causes the connection to terminate. Set the reason variable to one of the TCP termination reasons listed below:

Reason Description

Reset-I Reset was from the inside.

Reset-O Reset was from the outside.

TCP FINs Normal close down sequence.

FIN Timeout Force termination after 15 seconds await for last ACK.

SYN Timeout Force termination after two minutes awaiting three-way handshake completion.

Xlate Clear Command-line removal.

Deny Terminate by application inspection.

SYN Control Back channel initiation from wrong side.

Uauth Deny Deny by URL filter.

Unknown Catch-all error.

Conn-timeout Connection was torn down because it was idle longer than the configured idle timeout.

302015

Error Message

%PIX-6-302015: Built {inbound|outbound} UDP connection number for interface_name:real_address/real_port (mapped_address/mapped_port) to



interface_name:real_address/real_port (mapped_address/mapped_port)[(user)]

Explanation

A UDP connection slot between two hosts is created. See the following descriptions:

- connection number – a unique identifier.

- interface, real_adddress, real_port – The actual sockets.

- mapped_address and mapped_port – The mapped sockets.

- user – The AAA name of the user.

If inbound is specified, then the original control connection is initiated from the outside. For example, for UDP, all data transfer channels are inbound if the original control channel is inbound. If outbound is specified, then the original control connection is initiated from the inside.

302016

Error Message

%PIX-6-302016: Teardown UDP connection number for interface_name:real_address/real_port to nterface_name:real_address/real_port duration time bytes number [(user)]

Explanation

A UDP connection slot between two hosts was deleted

Where:



time is the lifetime of the connection

bytes bytes is the data transfer of the connection

user is the AAA name of the user



313001

Error Message

%PIX-3-313001: Denied ICMP type=number, code=code from IP_address on interface interface_name

Explanation

When using the icmp command with an access list, if the first matched entry is a permit entry, the ICMP packet continues processing. If the first matched entry is a deny entry or an entry is not matched, the firewall discards the ICMP packet and generates this Syslog message. The icmp command enables or disables pinging to an interface. With pinging disabled, the firewall cannot be detected on the network. This feature is also referred to as configurable proxy pinging.

Recommended Action

Contact the administrator of the peer device.

500003 Error Message %PIX-5-500003: Bad TCP hdr length (hdrlen=bytes, pktlen=bytes) from src_addr/sport to dest_addr/dport, flags: tcp_flags, on interface int_name

Explanation

This message indicates that a header length in TCP is incorrect. Some operating systems do not handle TCP RSTs (resets) correctly when responding to a connection request to a disabled socket. If a client tries to connect to an FTP server outside the PIX Firewall and FTP is not listening, then the server sends an RST. Some operating systems send incorrect TCP header lengths, which causes this problem. UDP uses ICMP port unreachable messages.

500004

Error Message

%PIX-4-500004: Invalid transport field for protocol=protocol, from src_addr/src_port to dest_addr/dest_port

Explanation

This message appears when there is an invalid transport number, in which the source or destination port number for a protocol is zero. The protocol field is 6 for TCP and 17 for UDP

710003

Error Message



%PIX-3-710003: {TCP|UDP} access denied by ACL from source_address/source_port to interface_name:dest_address/service

Explanation

This message appears when the firewall denies an attempt to connect to the interface service. For example, this message appears (with the service snmp) when the firewall receives an SNMP request from an unauthorized SNMP management station.

Recommended Action

Use the show http, show ssh, or show telnet command to verify that the firewall is configured to permit the service access from the host or network. If this message appears frequently, it can indicate an attack

710005

Error Message

%PIX-7-710005: {TCP|UDP} request discarded from source_address/source_port to interface_name:dest_address/service

Explanation

This message appears when the firewall does not have a UDP server that services the UDP request. The message can also indicate a TCP packet that does not belong to any session on the firewall. In addition, this message appears (with the service snmp) when the firewall receives and SNMP request with an empty payload, even if it is from an authorized host. When the service is not snmp, this message occurs a maximum of once every 10 seconds so that the log receiver is not overwhelmed.

Recommended Action

In networks that heavily utilize broadcasting services such as DHCP, RIP or NetBios, the frequency of this message can be high. If this message appears in an excessive number, it may indicate an attack.



Appendix B

B.1 Introduction

Please note the Error Messages which are specific to Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Versions 2.2 and 2.3 below.

B.2 Error Messages Specific to Cisco Catalyst 6500 Series Switch & Cisco 7600 Series Router Firewall V 2.2 & 2.3

302020

Error Message

%FWSM-6-302020: Built {in⎢out}bound ICMP connection for faddr {faddr ⎢ icmp_seq_num } gaddr {gaddr ⎢ cmp_type} laddr laddr

Explanation

An ICMP session was established in fast-path when stateful ICMP is enabled using the fixup protocol icmp command.

313004

Error Message

%FWSM-4-313004:Denied ICMP type=icmp_type, from src_IP_address on interface intf_name to dest_IP_address:no matching session

Explanation

ICMP packets were dropped by the FWSM because of security checks added by the stateful ICMP feature that are usually either ICMP echo replies without a valid echo request already passed across the firewall or ICMP error messages not related to any TCP, UDP, or ICMP session already established in the FWSM.



Contacting Net Report

For Technical Support, please contact us:

By e-mail at: [email protected]

By Telephone on: +33 (0)46 784 4800

By Fax on: +33 (0)46 784 4811

By post at: Net Report Headquarters,

130 rue Baptistou,

ZAE Nord,

34980 Saint Gély du Fesc,

FRANCE

For Sales Enquiries, please contact us:

By e-mail at: [email protected]

By Telephone on: +33 (0)1 46 84 15 66

By post at: Net Report Sales Offices,

Allasso France,

Immeuble Europe Avenue,

3ème et 4 ème étage (Reception),

62 Bis av André Morizet,

92 643 Boulogne-Billancourt Cedex,

FRANCE

http://www.net-report.netmailto:[email protected]:[email protected]

Table of ContentsAbout This DocumentSection 1: Introducing General Required ConfigurationSection 2: Configuration Solution 1: SuppressingSection 3: Configuration Solution 2: ModifyingAppendices

/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageDownsampleThreshold 1.50000 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages true /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 1200 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.50000 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /Unknown

/Description >>> setdistillerparams> setpagedevice