WatchGuard Firebox System 7.0 User Guide

11.07.2015 Views
Chapter 12: Setting Up Logging and NotificationLogging and notification are crucial to an effective networksecurity policy. Together, they make it possible to monitoryour network security, identify both attacks and attackers,and take action to address security threats and challenges.WatchGuard logging and notification features are bothflexible and powerful. You can configure your firewall tolog and notify a wide variety of events, including specificevents that occur at the level of individual services. Formore information on logging, see the following collectionof FAQs:https://support.watchguard.com/advancedfaqs/log_main.aspDeveloping Logging and Notification PoliciesWhen creating a logging policy, you spell out what getslogged and when an event or series of events warrantssending out a notification to the on-duty administrator.Developing these policies simplifies the setup of individualservices in the WatchGuard Firebox System. If you havefully mapped out a policy, you can more easily delegateconfiguration duties and ensure that individual efforts donot contradict the overall security stance or logging andnotification policies.Logging policySpecifically, the logging policy delineates:• Which events to log• Which service events to log• Which servers are allocated as log hosts• How large a log file is allowed to become and howoften a new log file is createdIn general, you want to log only the events that might indicatea potential security threat, and ignore events thatwould waste bandwidth and server storage space. Thisgenerally translates into logging spoofs, IP options, probes,200 WatchGuard Firebox System

Developing Logging and Notification Policiesand denied packets, and not logging allowed packets.Allowed packets should not be indicative of a securitythreat. Furthermore, allowed traffic usually far exceeds thevolume of denied traffic and would slow response times aswell as causing the log file to grow and turn over tooquickly.WatchGuard provides the option to log allowed events primarilyfor diagnostic purposes when setting up or troubleshootingan installation. Or, you might have a situationsuch as a very specialized service that uses an obscure,very high port number, and the service is intended for useonly by a small number of people in an organization. Inthat case you might want to log all traffic for that service soyou can monitor or review that service activity.Not all denied events need to be logged. For example, ifincoming FTP denies all incoming traffic from any sourceoutside to any destination inside, there is little point in loggingincoming denied packets. All traffic for that service inthat direction is blocked.Notification policyThe most important events that should trigger notificationare IP options, port space probes, address space probes,and spoofing attacks. These are configurable in the DefaultPacket Handling dialog box, described in “Default PacketHandling” on page 178.Other notifications depend on your Firebox configurationand how much time is available for interacting with it. Forexample, if you set up a simple configuration that enablesonly a few services and denies most or all incoming traffic,only a few circumstances warrant notification. On the otherhand, if you have a large configuration with many services;with many allowed hosts or networks for incoming traffic;popular protocols to specific, obscure ports; and several filteredservices added of your own design; you will need toset up a large, complex notification scheme. This type ofconfiguration is more vulnerable to attack. Not only areUser Guide 201

Page 1: WatchGuard ®Firebox ® SystemUser

Page 7 and 8: somewhere reasonably visible in you

Page 9 and 10: (B) Use any backup or archival copy

Page 11 and 12: 8.Miscellaneous Provisions. This AG

Page 13 and 14: ContentsCHAPTER 1 Introduction ....

Page 15 and 16: Testing the connection ............

Page 17 and 18: Controlling the HostWatch display .

Page 19 and 20: Detecting Man-in-the-Middle Attacks

Page 21 and 22: Deleting a report .................

Page 23 and 24: CHAPTER 1IntroductionWelcome to Wat

Page 25 and 26: Minimum RequirementsHistorical Repo

Page 27 and 28: .WatchGuard OptionsHardwarefeatureC

Page 29 and 30: About this Guideallowed to enter yo

Page 31 and 32: CHAPTER 2Service and SupportNo Inte

Page 33 and 34: LiveSecurity® Broadcastsdivided in

Page 35 and 36: LiveSecurity® Self Help Tools3 Com

Page 37 and 38: WatchGuard Users GroupGuard Technic

Page 39 and 40: Online Helpto display a list of top

Page 41 and 42: Assisted Supportto assist you in ma

Page 43 and 44: Training and Certificationto speed

Page 45 and 46: CHAPTER 3Getting StartedThe WatchGu

Page 47 and 48: Gathering Network InformationNetwor

Page 49 and 50: .Gathering Network InformationThe f

Page 51 and 52: Selecting a Firewall Configuration




Page 59 and 60: Setting Up the Management Station4

Page 61 and 62: Cabling the FireboxUser Guide 39

Page 63 and 64: Running the QuickSetup WizardProvid

Page 65 and 66: Entering IP addressesRunning the Qu

Page 67 and 68: What’s Nextservices, in addition

Page 69 and 70: CHAPTER 4Firebox BasicsThis chapter

Page 71 and 72: Opening a Configuration FileTrusted

Page 73 and 74: Saving a Configuration File3 From t

Page 75 and 76: Resetting Firebox Passphrasesenter

Page 77 and 78: Setting the Time Zone2 Select the m

Page 79 and 80: CHAPTER 5Using PolicyManager toConf

Page 81 and 82: Setting IP Addresses of Firebox Int

Page 83 and 84: Setting DHCP or PPPoE Support on th

Page 85 and 86: Defining External IP Aliases2 Confi

Page 87 and 88: Entering WINS and DNS Server Addres

Page 89 and 90: Defining a Firebox as a DHCP Server

Page 91 and 92: Adding Basic Services to Policy Man

Page 93 and 94: Configuring Routes3 Click the Net o

Page 95 and 96: CHAPTER 6Managing andMonitoring the

Page 97 and 98: Viewing Basic Firebox StatusThe top

Page 99 and 100: Viewing Basic Firebox Statusbut the

Page 101 and 102: Viewing Basic Firebox Status• The

Page 103 and 104: Monitoring Firebox TrafficSetting t

Page 105 and 106: Performing Basic Tasks with System

Page 107 and 108: Performing Basic Tasks with System

Page 109 and 110: Viewing Bandwidth Usage(shown above

Page 111 and 112: Viewing Details on Firebox Activity




Page 119 and 120: HostWatchHostWatchHostWatch is a re

Page 121 and 122: HostWatch3 Enter the Firebox status

Page 123 and 124: CHAPTER 7Configuring NetworkAddress

Page 125 and 126: Using Simple Dynamic NATService-bas

Page 127 and 128: Using Simple Dynamic NAT3 Use the T

Page 129 and 130: Using Service-Based Dynamic NATEnab

Page 131 and 132: Configuring a Service for Incoming

Page 133 and 134: Using 1-to-1 NATA one-to-one mappin

Page 135 and 136: CHAPTER 8Configuring FilteredServic

Page 137 and 138: Selecting Services for your Securit

Page 139 and 140: Adding and Configuring Servicesrigh

Page 141 and 142: Adding and Configuring Services5 (O

Page 143 and 144: Adding and Configuring Services3 In

Page 145 and 146: Adding and Configuring Services11 C

Page 147 and 148: Defining Service PropertiesEnabled

Page 149 and 150: Defining Service Properties6 Click

Page 151 and 152: Defining Service Propertiesthe serv

Page 153 and 154: Service Precedencegroup always have

Page 155 and 156: Service Precedencether down the pre

Page 157 and 158: CHAPTER 9Configuring ProxiedService

Page 159 and 160: Customizing Logging and Notificatio

Page 161 and 162: Configuring an SMTP Proxy Service3

Page 163 and 164: Configuring an SMTP Proxy Service2

Page 165 and 166: Configuring an SMTP Proxy ServiceAd

Page 167 and 168: Configuring an SMTP Proxy ServiceEn

Page 169 and 170: Configuring an SMTP Proxy ServiceCo

Page 171 and 172: Configuring an FTP Proxy Service6 S

Page 173 and 174: Selecting an HTTP Service4 Select t

Page 175 and 176: Selecting an HTTP Servicefrom Any t

Page 177 and 178: Configuring the DNS Proxy ServiceGE

Page 179 and 180: Configuring the DNS Proxy Service3

Page 181 and 182: Configuring the DNS Proxy ServiceYo

Page 183 and 184: CHAPTER 10Creating Aliases andImple

Page 185 and 186: Using AliasesGroupfireboxtrustedopt

Page 187 and 188: How User Authentication WorksHow Us

Page 189 and 190: Defining Firebox Users and Groups f

Page 191 and 192: Defining Firebox Users and Groups f

Page 193 and 194: Configuring RADIUS Server Authentic

Page 195 and 196: Configuring CRYPTOCard Server Authe

Page 197 and 198: Configuring SecurID AuthenticationC

Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr

Page 201 and 202: Default Packet Handlingtion. In con

Page 203 and 204: Default Packet Handlingnetwork. Alt

Page 205 and 206: Detecting Man-in-the-Middle Attacks

Page 207 and 208: Blocking Sites• Permanently block

Page 209 and 210: Blocking SitesUsing an external lis

Page 211 and 212: Blocking PortsBy default, the Fireb

Page 213 and 214: Blocking PortsAvoiding problems wit

Page 215 and 216: Integrating Intrusion Detectionand

Page 217 and 218: Integrating Intrusion DetectionUsin

Page 219 and 220: Integrating Intrusion Detectionposs

Page 221: CHAPTER 12Setting Up Loggingand Not

Page 225 and 226: WatchGuard Logging Architecturehost

Page 227 and 228: Designating Log Hosts for a Firebox

Page 229 and 230: Setting up the WatchGuard Security

Page 231 and 232: Setting up the WatchGuard Security

Page 233 and 234: Setting Global Logging and Notifica

Page 235 and 236: Setting Global Logging and Notifica




Page 243 and 244: CHAPTER 13Reviewing andWorking with

Page 245 and 246: Viewing Files with LogViewer2 Brows

Page 247 and 248: Displaying and Hiding FieldsCopying

Page 249 and 250: Displaying and Hiding Fieldsthen co

Page 251 and 252: Working with Log Filescurrent log f

Page 253 and 254: Working with Log Files5 Stop and re

Page 255 and 256: Working with Log Filesappear until

Page 257 and 258: CHAPTER 14Generating Reportsof Netw

Page 259 and 260: Creating and Editing Reports2 Enter

Page 261 and 262: Specifying Report Sections3 From th

Page 263 and 264: Exporting ReportsSetting a Firebox

Page 265 and 266: Using Report Filtersdrive:\WatchGua

Page 267 and 268: Scheduling and Running ReportsDelet

Page 269 and 270: Report Sections and Consolidated Se



Page 275 and 276: CHAPTER 15 Controlling Web SiteAcce

Page 277 and 278: Getting Started with WebBlockerYou

Page 279 and 280: Configuring the WebBlocker Service3

Page 281 and 282: Configuring the WebBlocker ServiceF

Page 283 and 284: Configuring the WebBlocker ServiceF

Page 285 and 286: Automating WebBlocker Database Down

Page 287 and 288: CHAPTER 16Connecting with Outof-Ban

Page 289 and 290: Enabling the Management StationInst

Page 291 and 292: Configuring the Firebox for OOBConf

Page 293 and 294: APPENDIX ATroubleshootingFirebox Co

Page 295 and 296: Method 1: Ethernet Dongle Method7 O

Page 297 and 298: Method 2: The Flash Disk Management

Page 299 and 300: Method 4: Serial Dongle (Firebox II

Page 301 and 302: IndexSymbols.cfg files 49.ftr files

Page 303 and 304: default lease time for 67described

Page 305 and 306: viewing active connections on 97vie

Page 307 and 308: log rollover 212loggingarchitecture

Page 309 and 310: Pestablishing connection 269install

Page 311 and 312: and FTP 115, 149and HTTP 115and POP

Page 313 and 314: and wg_dvcp service 127described 5V

firebox

watchguard

dialog

configuration

server

proxy

logging

properties

notification

addresses

WatchGuard Firebox System 7.0 User Guide

WatchGuard Firebox System 7.0 User Guide ... View more WatchGuard Firebox System 7.0 User Guide

Delete template?

Save as template ?

WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide