WatchGuard x1000 Guida Utente
Chapter 12: Setting Up Logging and Notification
202
WatchGuard Firebox System
there many more services that require a notification policy,
the high number of routes through the Firebox increases
the likelihood that the log host will issue frequent notifica-
tions. If you set up a very accommodating firewall, be pre-
pared to spend a large amount of time interacting with
your security system or fixing security breaches.
the high number of routes through the Firebox increases
the likelihood that the log host will issue frequent notifica-
tions. If you set up a very accommodating firewall, be pre-
pared to spend a large amount of time interacting with
your security system or fixing security breaches.
To formulate a notification policy, look at the number and
nature of the services enabled for the Firebox, and how
open or limited each service is. In general, for the high-traf-
fic proxies such as SMTP and FTP, you might activate a
repeat notification if the service rejects five to ten packets
within 30 seconds. If you have set up a specialized service
limited to traffic between two or three hosts using a high
port number, you might want to activate notification on
this service whenever it denies or passes a packet.
nature of the services enabled for the Firebox, and how
open or limited each service is. In general, for the high-traf-
fic proxies such as SMTP and FTP, you might activate a
repeat notification if the service rejects five to ten packets
within 30 seconds. If you have set up a specialized service
limited to traffic between two or three hosts using a high
port number, you might want to activate notification on
this service whenever it denies or passes a packet.
Failover Logging
WatchGuard uses failover logging to minimize the possi-
bility of missing log events. With failover logging, you con-
figure a list of log hosts to accept logs in the event of a
failure of the primary log host. By default, the Firebox
sends log messages to the primary log host. If for any rea-
son the Firebox cannot establish communication with the
primary log host, it automatically sends log messages to
the second log host. It continues through the list until it
finds a log host capable of recording events.
bility of missing log events. With failover logging, you con-
figure a list of log hosts to accept logs in the event of a
failure of the primary log host. By default, the Firebox
sends log messages to the primary log host. If for any rea-
son the Firebox cannot establish communication with the
primary log host, it automatically sends log messages to
the second log host. It continues through the list until it
finds a log host capable of recording events.
Multiple log hosts operate in failover mode, not redun-
dancy mode–that is, events are not logged to multiple log
hosts simultaneously; they are logged only to the primary
log host unless that host becomes unavailable. The logs are
then passed on to the next available log host according to
the order of priority.
dancy mode–that is, events are not logged to multiple log
hosts simultaneously; they are logged only to the primary
log host unless that host becomes unavailable. The logs are
then passed on to the next available log host according to
the order of priority.
Except where Syslog is used, the WatchGuard Security
Event Processor software must be installed on each log
Event Processor software must be installed on each log