WSM Reference Guide - WatchGuard Technologies

More documents

Recommendations

Info

Alarm Logs HTTP Proxy Traffic Log Messages Text in Message Field Associated Fields HTTP REQ op dstname arg HTTP HEADER IPS MATCH ips_msg signature_id HTTP BODY IPS MATCH ips_msg signature_id HTTP BYTECOUNT UPDATE Message Meaning Value that appears in associated field(s) Auditing information about an HTTP request. HTTP request method hostname from requested URL path and query-string from requested URL The HTTP header matches an IPS signagure. description of the signature that matched the signature ID of the rule that matched The HTTP body matches an IPS signature. description of the signature that matched the signature ID of the rule that matched Auditing information for an HTTP request that has a very large response. TCP Proxy Traffic Log Messages Text in Message Field Associated Fields Message Meaning Value that appears in associated field(s) TCP REQ outgoing_msg the mode the handler is in. TCP IPS MATCH ips_msg signature_id TCP proxy found an IPS signature match. description of the signature that matched the signature ID of the rule that matched Alarm Logs Alarm logs are sent when an alarm condition is met. The Firebox sends the alarm log to the Traffic Monitor and Log Server and triggers the specified action. Some alarms are set in your Firebox configuration. For example, you can use Policy Manager to configure an alarm to occur when a certain threshold is met. Other alarms are set by default. The Firebox sends an alarm log when a network connection on one of the Firebox interfaces fails. This cannot be changed in your configuration. The Firebox never sends more than 10 alarms in 15 minutes for the same set of conditions. There are eight categories of alarm logs: System, IPS, AV, Policy, Proxy, Probe, Denial of service, and Traffic. There is a table below for each category of alarms, showing the format of the alarm log messages in each category. 36 WatchGuard System Manager
Alarm Logs Policy Alarms Default Name Policy Message Format Example Message Caused By alarm_name=”WGRD_PM_BP_Alar m, alarm id, timestamp, message, policy name, source IP, destination IP, protocol, source port, destination port, source interface, destination interface, log_type=”al” alarm_name="WGRD_PM_BP_Alar m" alarm_id="4001" time="Wed Mar 2 07:41:21 2005 (PST)" msg="Block" policy="WGRD_PM_BP_Policy" src_ip="24.56.20.79" dst_ip="192.168.30.164" pr="tcp/ sun-rpc" src_port="1727" dst_port="111" src_intf="0- External" dst_intf="2-Optional-1" log_type="al"/ These alarms are caused by events associated with each policy. Proxy Alarms Default Name Proxy Message Format Example Message Caused By alarm_name=”Proxy”, alarm_id, time, message, source IP, destination IP, protocol, source port, destination port, source interface destination interface, log_type=”al” alarm_name="Proxy" alarm_id="6001" time="Tue Aug 3 00:49:35 2004 (PST)" msg="ProxyAllow/HTTP Request method match" src_ip="192.168.1.102" dst_ip="16.0.0.107" pr="tcp/smtp" src_port="1384" dst_port="25" src_intf="PPTP" dst_intf="1- Trusted" log_type="al"/ These alarms are caused by events associated with each proxy action. System Alarms Default Name System Message Format Example Message Caused By alarm _name detected, message_string. System detected. [1401-0512@H] user abc failed to log in from 192.168.228.226. System detected. [1401-0202@H] Number of IPSec tunnels 2500 reaches max IPSec tunnels allowed. These alarms are triggered by system events. Reference Guide 37
Page 1 and 2: WatchGuard ® System Manager Refere
Page 3 and 4: Contents CHAPTER 1 Internet Protoco
Page 5 and 6: CHAPTER 1 Internet Protocol Referen
Page 7 and 8: Internet Protocol Header Keyword Nu
Page 9 and 10: Transfer Protocols Source Routing T
Page 11 and 12: CHAPTER 2 MIME Content Types Softwa
Page 13 and 14: Type Subtype Reference (where avail
Page 23 and 24: CHAPTER 3 Services and Ports Well-k
Page 25 and 26: Well-Known Services List Port(s) Pr
Page 27 and 28: Well-Known Services List Service Na
Page 29 and 30: Well-Known Services List Service Na
Page 31 and 32: CHAPTER 4 Log Messages Understandin
Page 33 and 34: Traffic Logs FWAllow Each packet fi
Page 35 and 36: Traffic Logs dst_ip="66.35.250.151"
Page 37 and 38: Traffic Logs DNS Proxy Traffic Log
Page 39: Traffic Logs HTTP Proxy Traffic Log
Page 43 and 44: Alarm Logs Denial of Servce (DoS) A
Page 45 and 46: Event Logs Gateway AntiVirus Servic
Page 47 and 48: Event Logs Description of Log Modul
Page 49 and 50: Event Logs Event Log Message Catalo
Page 59 and 60: Firebox Log File XML DTD and Schema
Page 61 and 62: Firebox® X Edge Log Messages Modul
Page 73 and 74: CHAPTER 5 Using the Firebox LCD Use
Page 75 and 76: Firebox Boot Countdown Firebox Boot
Page 77 and 78: Using the LCD Interface in Firebox
Page 79 and 80: CHAPTER 6 WebBlocker Content WatchG
Page 81 and 82: WebBlocker Categories Category Drug
Page 83 and 84: WebBlocker Categories Category Job
Page 85 and 86: CHAPTER 7 Resources There are many
Page 87 and 88: Mailing Lists Mailing Lists wg-user
Page 89 and 90: White Hat Web Sites beginners. Cons
Page 91 and 92:
Other Web Sites maintains a list of
Page 93 and 94:
RSS Feeds www.sophos.com/virusinfo/
Page 95 and 96:
Index B blocked sites, searching fo
show all

WSM Reference Guide - WatchGuard Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?