WatchGuard Firebox System 7.0 User Guide
WatchGuard Firebox System 7.0 User Guide WatchGuard Firebox System 7.0 User Guide
Chapter 12: Setting Up Logging and NotificationLogging and notification are crucial to an effective networksecurity policy. Together, they make it possible to monitoryour network security, identify both attacks and attackers,and take action to address security threats and challenges.WatchGuard logging and notification features are bothflexible and powerful. You can configure your firewall tolog and notify a wide variety of events, including specificevents that occur at the level of individual services. Formore information on logging, see the following collectionof FAQs:https://support.watchguard.com/advancedfaqs/log_main.aspDeveloping Logging and Notification PoliciesWhen creating a logging policy, you spell out what getslogged and when an event or series of events warrantssending out a notification to the on-duty administrator.Developing these policies simplifies the setup of individualservices in the WatchGuard Firebox System. If you havefully mapped out a policy, you can more easily delegateconfiguration duties and ensure that individual efforts donot contradict the overall security stance or logging andnotification policies.Logging policySpecifically, the logging policy delineates:• Which events to log• Which service events to log• Which servers are allocated as log hosts• How large a log file is allowed to become and howoften a new log file is createdIn general, you want to log only the events that might indicatea potential security threat, and ignore events thatwould waste bandwidth and server storage space. Thisgenerally translates into logging spoofs, IP options, probes,200 WatchGuard Firebox System
Developing Logging and Notification Policiesand denied packets, and not logging allowed packets.Allowed packets should not be indicative of a securitythreat. Furthermore, allowed traffic usually far exceeds thevolume of denied traffic and would slow response times aswell as causing the log file to grow and turn over tooquickly.WatchGuard provides the option to log allowed events primarilyfor diagnostic purposes when setting up or troubleshootingan installation. Or, you might have a situationsuch as a very specialized service that uses an obscure,very high port number, and the service is intended for useonly by a small number of people in an organization. Inthat case you might want to log all traffic for that service soyou can monitor or review that service activity.Not all denied events need to be logged. For example, ifincoming FTP denies all incoming traffic from any sourceoutside to any destination inside, there is little point in loggingincoming denied packets. All traffic for that service inthat direction is blocked.Notification policyThe most important events that should trigger notificationare IP options, port space probes, address space probes,and spoofing attacks. These are configurable in the DefaultPacket Handling dialog box, described in “Default PacketHandling” on page 178.Other notifications depend on your Firebox configurationand how much time is available for interacting with it. Forexample, if you set up a simple configuration that enablesonly a few services and denies most or all incoming traffic,only a few circumstances warrant notification. On the otherhand, if you have a large configuration with many services;with many allowed hosts or networks for incoming traffic;popular protocols to specific, obscure ports; and several filteredservices added of your own design; you will need toset up a large, complex notification scheme. This type ofconfiguration is more vulnerable to attack. Not only areUser Guide 201
- Page 171 and 172: Configuring an FTP Proxy Service6 S
- Page 173 and 174: Selecting an HTTP Service4 Select t
- Page 175 and 176: Selecting an HTTP Servicefrom Any t
- Page 177 and 178: Configuring the DNS Proxy ServiceGE
- Page 179 and 180: Configuring the DNS Proxy Service3
- Page 181 and 182: Configuring the DNS Proxy ServiceYo
- Page 183 and 184: CHAPTER 10Creating Aliases andImple
- Page 185 and 186: Using AliasesGroupfireboxtrustedopt
- Page 187 and 188: How User Authentication WorksHow Us
- Page 189 and 190: Defining Firebox Users and Groups f
- Page 191 and 192: Defining Firebox Users and Groups f
- Page 193 and 194: Configuring RADIUS Server Authentic
- Page 195 and 196: Configuring CRYPTOCard Server Authe
- Page 197 and 198: Configuring SecurID AuthenticationC
- Page 199 and 200: CHAPTER 11Intrusion Detectionand Pr
- Page 201 and 202: Default Packet Handlingtion. In con
- Page 203 and 204: Default Packet Handlingnetwork. Alt
- Page 205 and 206: Detecting Man-in-the-Middle Attacks
- Page 207 and 208: Blocking Sites• Permanently block
- Page 209 and 210: Blocking SitesUsing an external lis
- Page 211 and 212: Blocking PortsBy default, the Fireb
- Page 213 and 214: Blocking PortsAvoiding problems wit
- Page 215 and 216: Integrating Intrusion Detectionand
- Page 217 and 218: Integrating Intrusion DetectionUsin
- Page 219 and 220: Integrating Intrusion Detectionposs
- Page 221: CHAPTER 12Setting Up Loggingand Not
- Page 225 and 226: WatchGuard Logging Architecturehost
- Page 227 and 228: Designating Log Hosts for a Firebox
- Page 229 and 230: Setting up the WatchGuard Security
- Page 231 and 232: Setting up the WatchGuard Security
- Page 233 and 234: Setting Global Logging and Notifica
- Page 235 and 236: Setting Global Logging and Notifica
- Page 237 and 238: Customizing Logging and Notificatio
- Page 239 and 240: Customizing Logging and Notificatio
- Page 241 and 242: Customizing Logging and Notificatio
- Page 243 and 244: CHAPTER 13Reviewing andWorking with
- Page 245 and 246: Viewing Files with LogViewer2 Brows
- Page 247 and 248: Displaying and Hiding FieldsCopying
- Page 249 and 250: Displaying and Hiding Fieldsthen co
- Page 251 and 252: Working with Log Filescurrent log f
- Page 253 and 254: Working with Log Files5 Stop and re
- Page 255 and 256: Working with Log Filesappear until
- Page 257 and 258: CHAPTER 14Generating Reportsof Netw
- Page 259 and 260: Creating and Editing Reports2 Enter
- Page 261 and 262: Specifying Report Sections3 From th
- Page 263 and 264: Exporting ReportsSetting a Firebox
- Page 265 and 266: Using Report Filtersdrive:\WatchGua
- Page 267 and 268: Scheduling and Running ReportsDelet
- Page 269 and 270: Report Sections and Consolidated Se
- Page 271 and 272: Report Sections and Consolidated Se
Developing Logging and Notification Policiesand denied packets, and not logging allowed packets.Allowed packets should not be indicative of a securitythreat. Furthermore, allowed traffic usually far exceeds thevolume of denied traffic and would slow response times aswell as causing the log file to grow and turn over tooquickly.<strong>WatchGuard</strong> provides the option to log allowed events primarilyfor diagnostic purposes when setting up or troubleshootingan installation. Or, you might have a situationsuch as a very specialized service that uses an obscure,very high port number, and the service is intended for useonly by a small number of people in an organization. Inthat case you might want to log all traffic for that service soyou can monitor or review that service activity.Not all denied events need to be logged. For example, ifincoming FTP denies all incoming traffic from any sourceoutside to any destination inside, there is little point in loggingincoming denied packets. All traffic for that service inthat direction is blocked.Notification policyThe most important events that should trigger notificationare IP options, port space probes, address space probes,and spoofing attacks. These are configurable in the DefaultPacket Handling dialog box, described in “Default PacketHandling” on page 178.Other notifications depend on your <strong>Firebox</strong> configurationand how much time is available for interacting with it. Forexample, if you set up a simple configuration that enablesonly a few services and denies most or all incoming traffic,only a few circumstances warrant notification. On the otherhand, if you have a large configuration with many services;with many allowed hosts or networks for incoming traffic;popular protocols to specific, obscure ports; and several filteredservices added of your own design; you will need toset up a large, complex notification scheme. This type ofconfiguration is more vulnerable to attack. Not only are<strong>User</strong> <strong>Guide</strong> 201