Setting Up the Log Server | WatchGuard Technologies Firebox X

CHAPTER 4 Setting Up Logging and Notification

An event is any single activity that occurs at the Firebox®, such as denying a packet from passing through the Firebox. Logging is the recording of these events to a log host. A notification is a message sent to the administrator by the Firebox when an event occurs that indicates a security threat. Notification can be in the form of e-mail or a pop-up window.

For example, WatchGuard® recommends that you configure default packet handling to issue a notifica- tion when the Firebox finds a port space probe. When this occurs, the log host sends notification to the network security administrator about the rejected packets. The network security administrator can exam- ine the log files and make decisions about how to add more security to the organization’s network. Some possible changes are:

•Block the ports on which the probe was used

•Block the IP address that is sending the packets

•Tell the ISP through which the packets are being sent

Logging and notification are crucial to an effective network security policy. Together, they make it possi- ble to monitor your network security, identify attacks and attackers, and to address security threats and challenges.

You can install the Log Server on the computer you are using as a management station. Or, you can install the log server software on a different computer using the WatchGuard System Manager installation program and selecting to install only the Log Server component. To add other log servers, see the Config- uration Guide for your version of appliance software.

Note

If you install the Management Server, Log Server, or WebBlocker Server on a computer with a desktop firewall other than Windows Firewall, you must open the ports necessary for the servers to connect through the firewall. Windows Firewall users do not have to change their configuration. See “Installing WatchGuard Servers on computers with desktop firewalls” on page 8 for more information.

Setting Up the Log Server

The Log Server collects logs from each WatchGuard® Firebox®.

User Guide

31

Image 37

WatchGuard Technologies Firebox X manual Setting Up Logging and Notification, Setting Up the Log Server

Contents

WatchGuardSystem Manager User Guide Address Contents Copy the online help system to more computers Setting Up Logging and Notification Importing Certificates Microsoft Internet Explorer 5.5 LogViewer Settings Apache Software License, Version 2.0, January About WatchGuard System Manager Getting StartedWatchGuard Management Server Log Server About Hardware and Appliance Software Installing WatchGuard System Manager Network addresses License Keys External interface 1Network IP Addresses Without the FireboxTrusted interface Optional interfaces Base Software encryption levelsUses 40-bit encryption Strong Putting the Firebox into operation on your network Setting Up Your Management Server Admin password Master password Installation Topics After Your Installation Routed configuration WFS appliance software configuration modes Drop-in configuration To add a secondary networks, do one of these procedures Adding secondary networks to your configurationUse the Quick Setup Wizard during installation Dynamic IP support on the external interface About slash notation Entering IP addresses Installing the Firebox cables Installation Topics LiveSecurity Service Solutions Service and SupportThreat responses, alerts, and expert advice Easy software updates LiveSecurity Service Broadcasts Basic FAQs LiveSecurity Service Self Help ToolsNew from WatchGuard Known Issues Advanced FAQsInteractive Support Forum Online Training WatchGuard Users Forum Using the WatchGuard Users ForumWatchGuard Users Group Online Help Technical Support Product DocumentationCopy the online help system to more computers Software requirements We try to supply a solution in a maximum time of four hours Web Site Service TimeType of Service Hours Training and Certification Starting WatchGuard System Manager Monitoring Your NetworkAbout the WatchGuard System Manager Window From the Windows Desktop Disconnecting from a Firebox Connecting to a FireboxDevice Log Type the password for the Management Server Connecting to a ServerDisconnecting from a Server Seeing Information about Devices Certificates Firebox StatusBranch Office VPN Tunnels Mobile user VPN tunnels Seeing Information on Log ServersPptp user VPN tunnels No exclamation point Monitoring VPNs Starting Security Applications About the WatchGuard ToolbarPolicy Manager Firebox Manager HostWatch Quick Setup WizardLog Viewer Historical Reports Setting Up the Log Server Setting Up Logging and NotificationLog Server collects logs from each WatchGuard Firebox Configuration Guide for your version of appliance software WatchGuard Log Server Configuration dialog box appears Type the new log encryption key two times Click OK Setting Global Logging and Notification Preferences Click Save Changes or Close Click Save Changes Setting Global Logging and Notification Preferences Reviewing and Working with Log Files Traffic Alarm Event DiagnosticTypes of Log Messages Traffic log messages Diagnostic log messages Alarm log messagesLog File Names and Locations Starting LogViewer Browse to find the log file and click Open LogViewer Settings Click to set the format of the logs to the default colors Changing LogViewer settings with WFS appliance software Select Edit Find Using LogViewer Paste the data into any text editor Click Browse to find the files to put together Click Merge Click File Merge log files Using LogViewer Using LogViewer Creating and Editing Reports Generating Reports of Network Activity Type the report name From Historical Reports, click AddSelect the filter Type the Firebox IP address or host name. Click Add Specifying a Report Time IntervalChange the report definition Specifying Report Sections To consolidate report sections Setting Report PropertiesType the number of items to put in the table Exporting Reports Complete the Filter tabs Using Report Filters Running Reports When finished, click OKReport Sections and Consolidated Sections Change the filter properties Report Sections and Consolidated Sections Session Summary Proxied Traffic Consolidated sections Report Sections and Consolidated Sections Public Key Cryptography and Digital Certificates Managing Certificates Certificate AuthorityPKI in a WatchGuard VPN From the menu, select the correct Managing the Certificate AuthorityCertificate Authority CA Certificate Generate a New Certificate Management Server CA CertificateGWvpn gateway name Find and Manage Certificates Reinstate RevokePuts back a certificate that was revoked before Destroy Importing Certificates Managing the Firebox X Edge Firebox Soho Netscape Netscape Communicator Administration Troubleshooting ideasManaging the Firebox X Edge or Soho Device System Status System security and remote management Removing CertificatesFirewall Logging Select File Soho Management Clean up on PC Removing Certificates WatchGuard Firebox Software End-User License Agreement Appendix a Copyright and Licensing WatchGuard System Manager Copyright and Trademarks OpenSSL License Licenses Original SSLeay License Apache Software License, Version 2.0, January Licenses Pcre License GNU Lesser General Public License Licenses Licenses Licenses GNU General Public License Licenses Licenses Licenses Sleepycat License Licenses General File Locations Appendix B WatchGuard File Locations Quick Setup Wizard Default File Locations HostWatch for Fireware Appliance Software Firebox System Manager for Fireware Appliance SoftwarePolicy Manager for Fireware Appliance Software Policy Manager for WFS Appliance Software WatchGuard System Manager HostWatch for WFS Appliance Software Firebox System Manager for WFS Appliance SoftwareFlash Disk Management for WFS Appliance Software LogViewer WebBlocker Server Management ServerLog Server User Interface Log Server for WFS Appliance Software Log Server for Fireware Appliance SoftwareHistorical Reports Log Merge Management Server Setup WizardManagement Server User Interface WatchGuard Certificate Authority Default File Locations Index Muvpn Wctp 100