UDP Broadcasts filling log on PIX

In article , Mark M wrote: :Broadcasts on my internal LAN are hitting my PIX internal interface and :making my logs hard to manage. Here is a snip:

:%PIX-3-710003: UDP access denied by ACL from 192.168.1.2/137 to inside:192.168.1.255/137

:The PIX internal interface is 192.168.1.123. I don't understand why a :broadcast packet would show up as blocked traffic on the PIX since :traffic is not attempting to transverse the interfaces.

:Do I have a config issue, or is this normal?

Broadcast traffic is sent to all hosts on the segment, including the PIX. The PIX considers -all- traffic that comes to its attention as requests to traverse the interfaces (except for the traffic addressed right to the PIX itself, that is.)

You have a few options:

a) permit the traffic through in your ACL. This will get rid of the message you are seeing, and replace it with a regular Deny message, that, if read carefully, will show that the traffic was denied because the source and destination interfaces were the same

b) no message logging 710003 will turn off the above message completely, along with the logging of some other kinds of UDP traffic that the PIX thinks are addressed to the PIX

c) add an access-list entry matching that traffic but with "logging disable" to turn off the logging of that -specific- flow

d) turn off NETBIOS on your Windows systems

e) put your Windows hosts into a subnet that isn't the same as the inside interface subnet, and have an inside router to forward the traffic to the PIX. In this way the PIX won't be a receiver of the broadcasts.

Great...thanks for the information!