D-Link DFL-200 manual How to read the logs, Usage events, Drop events, Conn events, Example

Page 76

How to read the logs

Although the exact format of each log entry depends on how your syslog recipient works, most are very much alike. The way in which logs are read is also dependent on how your syslog recipient works. Syslog daemons on UNIX servers usually log to text files, line by line.

Most syslog recipients preface each log entry with a timestamp and the IP address of the machine that sent the log data:

Oct 20 2003 09:45:23 gateway

This is followed by the text the sender has chosen to send. All log entries from DFL-200 are prefaced with "EFW:" and a category, e.g. "DROP:"

Oct 20 2003 09:45:23 gateway EFW: DROP:

Subsequent text is dependent on the event that has occurred.

USAGE events

These events are sent periodically and provide statistical information regarding connections and amount of traffic.

Example:

Oct 20 2003 09:45:23 gateway EFW: USAGE: conns=1174 if0=core ip0=127.0.0.1 tp0=0.00 if1=wan ip1=192.168.10.2 tp1=11.93 if2=lan ip2=192.168.0.1 tp2=13.27 if3=dmz ip3=192.168.1.1 tp3=0.99

The value after conns is the number of open connections trough the firewall when the usage log was sent. The value after tp is the throughput through the firewall at the time the usage log was logged.

DROP events

These events may be generated by a number of different functions in the firewall. The most common source is probably the policies.

Example:

Oct 20 2003 09:42:25 gateway EFW: DROP: prio=1 rule=Rule_1 action=drop recvif=wan srcip=192.168.10.2 destip=192.168.0.1 ipproto=TCP ipdatalen=28 srcport=3572 destport=135 tcphdrlen=28 syn=1

In this line, traffic from 192.168.10.2 coming from the WAN side of the firewall, connecting to 192.168.10.1 on port 135 is dropped. The protocol used is TCP.

CONN events

These events are generated if auditing has been enabled.

One event will be generated when a connection is established. This event will include information about protocol, receiving interface, source IP address, source port, destination interface, destination IP address and destination port.

76

Image 76
Contents Link DFL-200 Contents VPN Servers 111 122 125Features and Benefits Access Control supportedIntroduction Introduction to FirewallsIntroduction to Local Area Networking LEDs Physical ConnectionsPackage Contents System RequirementsResetting the DFL-200 Managing D-Link DFL-200Administration Settings Administrative AccessAdd ping access to an interface Add Admin access to an interfaceAdd Read-only access to an interface Enable Snmp access to an interfaceInterfaces SystemChange IP of the LAN or DMZ interface WAN Interface Settings Using Dhcp WAN Interface Settings Using Static IPIP Address The IP address of the WAN interface. This is WAN Interface Settings Using PPPoE PasswordWAN Interface Settings Using Pptp MTU Configuration WAN Interface Settings Using BigPondPassword The password supplied to you by your ISP Routing Remove a Static Route Add a new Static RouteGo to System and Routing Logging Enable Audit Logging Enable LoggingEnable E-mail alerting for ISD/IDP events Page Time Using NTP to sync time Setting time and date manuallyChanging time zone Checking the Set the system time boxFirewall PolicyPolicy modes Action TypesSource and Destination Filter Service FilterSchedule Intrusion Detection / Prevention Add a new policyConfigure Intrusion Detection Enable the Delete policy checkboxEnable the Intrusion Detection / Prevention checkbox Change order of policyConfigure Intrusion Prevention Port mapping / Virtual Servers Add a new mappingEnable the Delete mapping checkbox Delete mappingUsers DFL-200 Radius SupportEnable User Authentication via Http / Https Enable Radius SupportEnable the Change password checkbox Change User PasswordAdd User Enable the Delete user checkbox Delete UserSchedules Add new recurring scheduleServices Adding TCP, UDP or TCP/UDP ServiceGrouping Services Adding IP ProtocolProtocol-independent settings VPN Introduction to IPSecIntroduction to L2TP Introduction to PptpPoint-to-Point Protocol Authentication Protocols MPPE, Microsoft Point-To-Point EncryptionAuthentication protocol L2TP/PPTP ClientsAuthentication Protocol Introduction chapter L2TP/PPTP ServersMppe encryption VPN between two networks Creating a LAN-to-LAN IPSec VPN TunnelVPN between client and an internal network Creating a Roaming Users IPSec VPN TunnelAdding a L2TP/PPTP VPN Client Adding a L2TP/PPTP VPN ServerVPN Advanced Settings IKE Proposal List Proposal ListsIPSec Proposal List Certificates Trusting CertificatesLocal identities Certificates of remote peersIdentities Content Filtering Active content handlingEdit the URL Global Whitelist Edit the URL Global Blacklist Active content handling Dhcp Server Settings ServersEnable Dhcp Server Enable Dhcp RelayDisable Dhcp Server/Relayer Enable by checking the Use built-in Dhcp Server boxEnable DNS Relayer DNS Relayer SettingsEnable by checking the Enable DNS Relayer box Disable DNS Relayer Tools PingDynamic DNS Add Dynamic DNS SettingsPing Example Exporting the DFL-200’s Configuration BackupRestoring the DFL-200’s Configuration Restart/Reset Restarting the DFL-200Restoring system settings to factory defaults Page Upgrade Firmware UpgradeUpgrade IDS Signature-database System StatusCPU Load Interfaces VPN Connections Click Connections below it. a window willDhcp Server Logging How to read the logs Usage eventsDrop events Conn eventsOpen Example Close ExampleStep by step guides LAN-to-LAN VPN using IPsec LAN IP 192.168.4.1, Subnet maskEnable Automatically add a route for the remote network Remote Net 192.168.1.0/24LAN IP 192.168.1.1, Subnet mask Local net 192.168.1.0/24Remote Net 192.168.4.0/24 LAN-to-LAN VPN using Pptp Username BranchOffice Click Global policy parameters Settings for Main office Page Select Local database Under Users in local database click Add newPage LAN-to-LAN VPN using L2TP Username BranchOffice Check Use IPsec encryption Setup interfaces, System-Interfaces WAN IP193.0.2.20 Page Select Local database Under Users in local database click Add new More secure LAN-to-LAN VPN solution Page Page Settings for Main office Settings for the Windows XP client Windows XP client and Pptp serverSelect Connect to the network at my workplace and click Next Select Virtual Private Network connection and click Next Name the connection MainOffice and click Next 104 Select Do not dial the initial connection and click Next Page Click Properties Page Name the new user HomeUser Enter password Retype password Page Windows XP client and L2TP server 112 Settings for Main office Page Content filtering Firewall-Services Select HTTP/HTML Content Filtering in the ALG dropdownPage Page Intrusion detection and prevention Page Check Enable E-mail alerting for IDS/IDP events Appendixes Appendix a Icmp Types and CodesPage Appendix B Common IP Protocol Numbers ESPLimited Warranty What Is Not Covered Wichtige Sicherheitshinweise CE Mark Warning WarnungAdvertencia de Marca de la CE AttenzioneVcci Warning Offices Singapore D-LINK International 132
Related manuals
Manual 14 pages 8.62 Kb Manual 12 pages 24 Kb