WSM Reference Guide - WatchGuard Technologies
WSM Reference Guide - WatchGuard Technologies
WSM Reference Guide - WatchGuard Technologies
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Traffic Logs<br />
Alarm logs<br />
Alarm logs are sent when an alarm condition is met. The Firebox sends the alarm to the Traffic Monitor<br />
and Log Server and triggers the specified action.<br />
Some alarms are set in your Firebox configuration. For example, you can use Policy Manager to configure<br />
an alarm to occur when a certain threshold is met. Other alarms are set by default. The Firebox sends<br />
an alarm log when a network connection on one of the Firebox interfaces fails. This cannot be changed<br />
in your configuration. The Firebox never sends more than 10 alarms in 15 minutes for the same set of<br />
conditions.<br />
There are eight categories of alarm logs: System, IPS, AV, Policy, Proxy, Probe, Denial of service, and Traffic.<br />
Event logs<br />
Event logs are created because of Firebox user activity. Events that cause event logs include:<br />
• Firebox start up/shut down<br />
• Firebox and VPN authentication<br />
• Process start up/shut down<br />
• Problems with the Firebox hardware components<br />
• Any task done by the Firebox administrator<br />
Diagnostic logs<br />
Diagnostic logs are more detailed log messages sent by the Firebox that you can use to help troubleshoot<br />
problems. You can select the level of diagnostic logging to see in your traffic monitor, or write to<br />
your log file. You can configure the diagnostic log level from Policy Manager > Setup > Logging ><br />
Advanced Diagnostics. The available levels are off, low, medium, high, and advanced. We do not recommend<br />
that you set the logging level to advanced unless you are working with a technical support<br />
team to diagnose a problem, as it can cause the log file to fill up very quickly.<br />
Traffic Logs<br />
Most of the logs shown in Traffic Monitor are traffic logs. Traffic logs show the traffic that moves through<br />
your Firebox and how the packet filter and proxy policies were applied. Traffic Monitor shows all of the<br />
log messages from the Firebox that are recorded in your log file.<br />
Packet Filter Logs<br />
Packet filter logs contain a set number of fields. Here is an example of the XML output of a packet filter<br />
log message. The information will look different when you see the same log message in Traffic Monitor<br />
or LogViewer. Below the example, there is an explanation for each field that appears.<br />
FWAllow d="2005-01-25T23:12:12" orig="HQFirebox" disp="Allow" pri="1" policy="SSH-outgoing-05"<br />
src_ip="192.168.130.59" dst_ip="10.10.171.98"<br />
pr="ssh" src_port="56952" dst_port="22" src_intf="1-Trusted" dst_intf="0-<br />
External" rc="100" msg="firewall pass, mss not exceeding 1460, idle timeout=43205<br />
sec" pckt_len="60" ttl="63" log_type="tr"/<br />
28 <strong>WatchGuard</strong> System Manager