WatchGuard x1000 用户指南
Developing Logging and Notification Policies
User Guide
201
and denied packets, and not logging allowed packets.
Allowed packets should not be indicative of a security
threat. Furthermore, allowed traffic usually far exceeds the
volume of denied traffic and would slow response times as
well as causing the log file to grow and turn over too
quickly.
Allowed packets should not be indicative of a security
threat. Furthermore, allowed traffic usually far exceeds the
volume of denied traffic and would slow response times as
well as causing the log file to grow and turn over too
quickly.
WatchGuard provides the option to log allowed events pri-
marily for diagnostic purposes when setting up or trouble-
shooting an installation. Or, you might have a situation
such as a very specialized service that uses an obscure,
very high port number, and the service is intended for use
only by a small number of people in an organization. In
that case you might want to log all traffic for that service so
you can monitor or review that service activity.
marily for diagnostic purposes when setting up or trouble-
shooting an installation. Or, you might have a situation
such as a very specialized service that uses an obscure,
very high port number, and the service is intended for use
only by a small number of people in an organization. In
that case you might want to log all traffic for that service so
you can monitor or review that service activity.
Not all denied events need to be logged. For example, if
incoming FTP denies all incoming traffic from any source
outside to any destination inside, there is little point in log-
ging incoming denied packets. All traffic for that service in
that direction is blocked.
incoming FTP denies all incoming traffic from any source
outside to any destination inside, there is little point in log-
ging incoming denied packets. All traffic for that service in
that direction is blocked.
Notification policy
The most important events that should trigger notification
are IP options, port space probes, address space probes,
and spoofing attacks. These are configurable in the Default
Packet Handling dialog box, described in “Default Packet
Handling” on page 178.
are IP options, port space probes, address space probes,
and spoofing attacks. These are configurable in the Default
Packet Handling dialog box, described in “Default Packet
Handling” on page 178.
Other notifications depend on your Firebox configuration
and how much time is available for interacting with it. For
example, if you set up a simple configuration that enables
only a few services and denies most or all incoming traffic,
only a few circumstances warrant notification. On the other
hand, if you have a large configuration with many services;
with many allowed hosts or networks for incoming traffic;
popular protocols to specific, obscure ports; and several fil-
tered services added of your own design; you will need to
set up a large, complex notification scheme. This type of
configuration is more vulnerable to attack. Not only are
and how much time is available for interacting with it. For
example, if you set up a simple configuration that enables
only a few services and denies most or all incoming traffic,
only a few circumstances warrant notification. On the other
hand, if you have a large configuration with many services;
with many allowed hosts or networks for incoming traffic;
popular protocols to specific, obscure ports; and several fil-
tered services added of your own design; you will need to
set up a large, complex notification scheme. This type of
configuration is more vulnerable to attack. Not only are