WSM Reference Guide - WatchGuard Technologies

More documents

Recommendations

Info

Traffic LogsAlarm logsAlarm logs are sent when an alarm condition is met. The Firebox sends the alarm to the Traffic Monitorand Log Server and triggers the specified action.Some alarms are set in your Firebox configuration. For example, you can use Policy Manager to configurean alarm to occur when a certain threshold is met. Other alarms are set by default. The Firebox sendsan alarm log when a network connection on one of the Firebox interfaces fails. This cannot be changedin your configuration. The Firebox never sends more than 10 alarms in 15 minutes for the same set ofconditions.There are eight categories of alarm logs: System, IPS, AV, Policy, Proxy, Probe, Denial of service, and Traffic.Event logsEvent logs are created because of Firebox user activity. Events that cause event logs include:• Firebox start up/shut down• Firebox and VPN authentication• Process start up/shut down• Problems with the Firebox hardware components• Any task done by the Firebox administratorDiagnostic logsDiagnostic logs are more detailed log messages sent by the Firebox that you can use to help troubleshootproblems. You can select the level of diagnostic logging to see in your traffic monitor, or write toyour log file. You can configure the diagnostic log level from Policy Manager > Setup > Logging >Advanced Diagnostics. The available levels are off, low, medium, high, and advanced. We do not recommendthat you set the logging level to advanced unless you are working with a technical supportteam to diagnose a problem, as it can cause the log file to fill up very quickly.Traffic LogsMost of the logs shown in Traffic Monitor are traffic logs. Traffic logs show the traffic that moves throughyour Firebox and how the packet filter and proxy policies were applied. Traffic Monitor shows all of thelog messages from the Firebox that are recorded in your log file.Packet Filter LogsPacket filter logs contain a set number of fields. Here is an example of the XML output of a packet filterlog message. The information will look different when you see the same log message in Traffic Monitoror LogViewer. Below the example, there is an explanation for each field that appears.FWAllow d="2005-01-25T23:12:12" orig="HQFirebox" disp="Allow" pri="1" policy="SSH-outgoing-05"src_ip="192.168.130.59" dst_ip="10.10.171.98"pr="ssh" src_port="56952" dst_port="22" src_intf="1-Trusted" dst_intf="0-External" rc="100" msg="firewall pass, mss not exceeding 1460, idle timeout=43205sec" pckt_len="60" ttl="63" log_type="tr"/28 WatchGuard System Manager
Traffic LogsFWAllowEach packet filter log message starts with FWDeny or FWAllow. This header shows whether thepacket was allowed or denied by the Firebox.d="2005-01-25T23:12:12"The date and time the event occured, adjusted according to the time zone setting in PolicyManager > Setup > System.orig="HQFirebox"The name or IP address (if no name is available) of the Firebox writing the log message.disp="Allow"The packet disposition. Can be deny or allow.pri="1"The priority of the log. The priority is used only for Net IQ reporting and is set to 1 (criticalmode), 4 (warning mode), or 6 (normal allowed traffic).policy=”ssh-outgoing-05”The name of the policy in Policy Manager that handled this packet.src_ip=”192.168.30.159”The source IP address of this packet.dst_ip=”10.10.171.98”The destination IP address for this packet.pr="ssh"The protocol used in this packet.src_port="56952"The source port for this packet.dst_port="22"The destination port for this packet.src_intf="1-Trusted"The number of the source interface for this packet, and the name you have given the sourceinterface for this packet (as defined in Policy Manager > Network > Configuration). A sourceinterface of trusted indicates that this packet originated behind the trusted interface of theFirebox. A source interface of external shows that the packet has come from outside theFirebox.dst_intf="0-External"The number of the destination interface for this packet, and the name you have given for thedestination interface for this packet (as defined in Policy Manager > Network >Configuration).rc="100"Return code for the packet. This information is used in Historical Reporting.msg=”firewall pass, mss not exceeding 1460, idle timeout=43205 sec”The message field.pckt_len="60"The length of the packet, in bytes.Reference Guide 29
Page 1 and 2: WatchGuard ® System ManagerReferen
Page 3 and 4: ContentsCHAPTER 1 Internet Protocol
Page 5 and 6: CHAPTER 1Internet Protocol Referenc
Page 7 and 8: Internet Protocol HeaderKeyword Num
Page 9 and 10: Transfer ProtocolsSource RoutingThe
Page 11 and 12: CHAPTER 2MIME Content TypesSoftware
Page 13 and 14: Type Subtype Reference (where avail
Page 23 and 24: CHAPTER 3Services and PortsWell-kno
Page 25 and 26: Well-Known Services ListPort(s) Pro
Page 27 and 28: Well-Known Services ListService Nam
Page 29 and 30: Well-Known Services ListService Nam
Page 31: CHAPTER 4Log MessagesUnderstanding
Page 35 and 36: Traffic Logsdst_ip="66.35.250.151"
Page 37 and 38: Traffic LogsDNS Proxy Traffic Log M
Page 39 and 40: Traffic LogsHTTP Proxy Traffic Log
Page 41 and 42: Alarm LogsPolicy AlarmsDefaultNameP
Page 43 and 44: Alarm LogsDenial of Servce (DoS) Al
Page 45 and 46: Event LogsGateway AntiVirus Service
Page 47 and 48: Event LogsDescription of Log Module
Page 49 and 50: Event LogsEvent Log Message Catalog
Page 59 and 60: Firebox Log File XML DTD and Schema
Page 61 and 62: Firebox® X Edge Log MessagesModule
Page 73 and 74: CHAPTER 5WebBlocker ContentWatchGua
Page 75 and 76: WebBlocker CategoriesCategoryDrugs,
Page 77 and 78: WebBlocker CategoriesCategoryJob Se
Page 79 and 80: CHAPTER 6ResourcesThere are many re
Page 81 and 82: Mailing ListsMailing Listswg-users@
Page 83 and 84:
White Hat Web Sitesbeginners. Cons:
Page 85 and 86:
Other Web Sitesmaintains a list of
Page 87 and 88:
RSS Feedswww.sophos.com/virusinfo/i
Page 89 and 90:
IndexBblocked sites, searching for
show all

WSM Reference Guide - WatchGuard Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?