When a packet matches a defensive filter during IP filter processing, a message can be logged indicating that the packet was discarded based on this filter. When a defensive filter is added, filter-match logging can be enabled or disabled for the filter; it is enabled by default. The filter-match logging setting can be updated with the ipsec command for an existing defensive filter.
When a defensive filter is simulating a block, filter match logging is always performed to indicate that a packet would have been discarded based on the defensive filter.
You can limit the number of filter-match messages generated for a defensive filter by specifying a log limit for the defensive filter in one of the following ways:
The log limit limits the average rate of filter-match messages generated in a 5-minute interval for a defensive filter. For example, a loglimit value of 100 limits the average rate of filter-match messages to 100 messages per 5-minute interval. A burst of up to 100 messages is allowed while maintaining the long-term average of 100 messages per 5-minute interval.
A count is kept of suppressed messages. At the end of the 5-minute interval, if there are suppressed filter-match messages, EZD0837I or EZD0838I is generated to report the number of suppressed messages.