WSM Reference Guide - WatchGuard Technologies

More documents

Recommendations

Info

Alarm LogsHTTP Proxy Traffic Log MessagesText in Message FieldAssociated FieldsHTTP REQopdstnameargHTTP HEADER IPS MATCHips_msgsignature_idHTTP BODY IPS MATCHips_msgsignature_idHTTP BYTECOUNT UPDATEMessage MeaningValue that appears in associated field(s)Auditing information about an HTTP request.HTTP request methodhostname from requested URLpath and query-string from requested URLThe HTTP header matches an IPS signagure.description of the signature that matchedthe signature ID of the rule that matchedThe HTTP body matches an IPS signature.description of the signature that matchedthe signature ID of the rule that matchedAuditing information for an HTTP request that has a very largeresponse.TCP Proxy Traffic Log MessagesText in Message FieldAssociated FieldsMessage MeaningValue that appears in associated field(s)TCP REQoutgoing_msg the mode the handler is in.TCP IPS MATCHips_msgsignature_idTCP proxy found an IPS signature match.description of the signature that matchedthe signature ID of the rule that matchedAlarm LogsAlarm logs are sent when an alarm condition is met. The Firebox sends the alarm log to the Traffic Monitorand Log Server and triggers the specified action.Some alarms are set in your Firebox configuration. For example, you can use Policy Manager to configurean alarm to occur when a certain threshold is met. Other alarms are set by default. The Firebox sendsan alarm log when a network connection on one of the Firebox interfaces fails. This cannot be changedin your configuration. The Firebox never sends more than 10 alarms in 15 minutes for the same set ofconditions.There are eight categories of alarm logs: System, IPS, AV, Policy, Proxy, Probe, Denial of service, and Traffic.There is a table below for each category of alarms, showing the format of the alarm log messages ineach category.36 WatchGuard System Manager
Alarm LogsPolicy AlarmsDefaultNamePolicyMessage Format Example Message Caused Byalarm_name=”WGRD_PM_BP_Alarm, alarm id, timestamp, message,policy name, source IP, destinationIP, protocol, source port,destination port, source interface,destination interface,log_type=”al”alarm_name="WGRD_PM_BP_Alarm" alarm_id="4001" time="WedMar 2 07:41:21 2005 (PST)"msg="Block"policy="WGRD_PM_BP_Policy"src_ip="24.56.20.79"dst_ip="192.168.30.164" pr="tcp/sun-rpc" src_port="1727"dst_port="111" src_intf="0-External" dst_intf="2-Optional-1"log_type="al"/These alarms are causedby events associated witheach policy.Proxy AlarmsDefaultNameProxyMessage Format Example Message Caused Byalarm_name=”Proxy”, alarm_id,time, message, source IP,destination IP, protocol, sourceport, destination port, sourceinterface destination interface,log_type=”al”alarm_name="Proxy"alarm_id="6001" time="Tue Aug 300:49:35 2004 (PST)"msg="ProxyAllow/HTTP Requestmethod match"src_ip="192.168.1.102"dst_ip="16.0.0.107" pr="tcp/smtp"src_port="1384" dst_port="25"src_intf="PPTP" dst_intf="1-Trusted" log_type="al"/These alarms are causedby events associated witheach proxy action.System AlarmsDefaultNameSystemMessage Format Example Message Caused Byalarm _name detected,message_string.System detected. [1401-0512@H]user abc failed to log in from192.168.228.226.System detected. [1401-0202@H]Number of IPSec tunnels 2500reaches max IPSec tunnels allowed.These alarms aretriggered by systemevents.Reference Guide 37
Page 1 and 2: WatchGuard ® System ManagerReferen
Page 3 and 4: ContentsCHAPTER 1 Internet Protocol
Page 5 and 6: CHAPTER 1Internet Protocol Referenc
Page 7 and 8: Internet Protocol HeaderKeyword Num
Page 9 and 10: Transfer ProtocolsSource RoutingThe
Page 11 and 12: CHAPTER 2MIME Content TypesSoftware
Page 13 and 14: Type Subtype Reference (where avail
Page 23 and 24: CHAPTER 3Services and PortsWell-kno
Page 25 and 26: Well-Known Services ListPort(s) Pro
Page 27 and 28: Well-Known Services ListService Nam
Page 29 and 30: Well-Known Services ListService Nam
Page 31 and 32: CHAPTER 4Log MessagesUnderstanding
Page 33 and 34: Traffic LogsFWAllowEach packet filt
Page 35 and 36: Traffic Logsdst_ip="66.35.250.151"
Page 37 and 38: Traffic LogsDNS Proxy Traffic Log M
Page 39: Traffic LogsHTTP Proxy Traffic Log
Page 43 and 44: Alarm LogsDenial of Servce (DoS) Al
Page 45 and 46: Event LogsGateway AntiVirus Service
Page 47 and 48: Event LogsDescription of Log Module
Page 49 and 50: Event LogsEvent Log Message Catalog
Page 59 and 60: Firebox Log File XML DTD and Schema
Page 61 and 62: Firebox® X Edge Log MessagesModule
Page 73 and 74: CHAPTER 5WebBlocker ContentWatchGua
Page 75 and 76: WebBlocker CategoriesCategoryDrugs,
Page 77 and 78: WebBlocker CategoriesCategoryJob Se
Page 79 and 80: CHAPTER 6ResourcesThere are many re
Page 81 and 82: Mailing ListsMailing Listswg-users@
Page 83 and 84: White Hat Web Sitesbeginners. Cons:
Page 85 and 86: Other Web Sitesmaintains a list of
Page 87 and 88: RSS Feedswww.sophos.com/virusinfo/i
Page 89 and 90: IndexBblocked sites, searching for

WSM Reference Guide - WatchGuard Technologies

Create successful ePaper yourself

Delete template?

Save as template?