WatchGuard Technologies FireboxTM System 4.6 Files

User Guide 103

CHAPTER 15 Reviewing and Working with Log

Files

Log entries are stored on the primary and backup LiveSecurity Event Processor. By

default, log files are placed in the WatchGuard installation directory in a subdirectory

called \logs. The log file to which the Event Processor is currently writing records is

named Firebox IP.wgl. In addition, the Event Processor creates an index file in the

same directory by the same name with the extension .idx. When Event Processor rolls

a log file over, it saves the old files as Firebox IP Time Stamp.wgl and Firebox IP Time

Stamp.idx.Both the .wgl and .idx files are necessary to use any monitoring or log

display tool.

For more information about the LiveSecurity Event Processor and configuring

logging, see “Setting Up Logging and Notification” on page69.

Viewing files with LogViewer

The WatchGuard Firebox System utility called LogViewer provides a dynamic

display of log file data. You can view all log data page by page, or search and display

by keyphrases or specific log fields.

Starting LogViewer and opening a log file

From Control Center:

1Click the LogViewer icon (shown at right).

LogViewer opens and the Load File dialog box appears.

2 Browse to select a log file. Click Open.

By default, logs are stored in a subdirectory of the WatchGuard installation

directory called \logs. LogViewer opens and displays the selected log file.

Setting LogViewer preferences

You can adjust the content and format of the display. From LogViewer:

1 Select View => Preferences.

Contents

Main Disclaimer Copyright and Patent Information WatchGuard Technologies, Inc. Firebox System Software End-User License Agreement Page Declaration of Conformity FCC Certification CE Notice CSA Statement Table of Contents PART I PART III PART II Page PART IV PART V PART I Introduction Welcome to WatchGuard WatchGuard Firebox System components WatchGuard Firebox WatchGuard Control Center WatchGuard security suite LiveSecurity Service Minimum requirements Software requirements Web browser requirements Hardware require ments PART II WatchGuard Services Page LiveSecurity broadcasts Activating the LiveSecurity Service Page Page Accessing frequently asked questions (FAQ) Known issues Getting Internet technical support Getting telephone support Training WatchGuard Interactive Training System (WITS) Instructor-led courses WatchGuard users group Subscribing to wg-users@watchguard.com Unsubscribing from wg-users@watchguard.com Contributing to wg-users@watchguard.com Online Help Starting WatchGuard Online Help Searching for topics Copying the Help system to additional platforms Online Help system requirements Context-sensitive Help Currently available options VPN Manager High Availability Mobile User VPN SpamScreen Obtaining WatchGuard options PART III Configuring a Security Policy Page What is a Firebox? Placing a Firebox within a network Internet Opening a configuration file Opening a configuration from the Firebox Opening a configuration from a local hard disk Saving a configuration file Saving a configuration to the local hard disk Resetting Firebox passphrases Tips for creating secure passphrases Setting the time zone Reinitializing a misconfigured Firebox Page Center Navigating the WatchGuard Control Center Starting the Control Center and connecting to a Firebox Control Center components QuickGuide Front panel Firebox and VPN tunnel status Page Traf fic Moni tor Working with the Control Center Connecting to a Firebox Changing the polling rate Setting the maximum number of log messages Manipulating the Traffic Monitor Policy Manager Changing the Policy Manager view Firebox Monitors LogViewer HostWatch Historical Reports LiveSecurity Event Processor Page Running the QuickSetup wizard Setting up a drop-in network Setting up a routed network Adding a secondary network Defining a network route Defining a host route Changing an interface IP address Setting the default gateway Entering WINS and DNS server addresses Defining a Firebox as a DHCP server Adding a new subnet Page Page Configuring default packet handling Blocking a site permanently Removing a blocked site Changing the auto-block duration Logging and notification for blocked sites Blocking a port permanently Removing a blocked port Logging and notification for blocked ports Blocking sites temporarily with service settings Configuring a service to temporarily block sites Viewing the Blocked Sites list Adding an existing service Creating a new service Defining service properties Adding incoming service properties Adding outgoing service properties Adding addresses to service properties Working with wg_ icons Configuring services for authentication Modifying a service Deleting a service Setting up proxy services Configuring an SMTP proxy service Page Configuring an FTP proxy service Configuring an HTTP proxy service Service precedence Page Page How WebBlocker works Reverting to old WebBlocker databases Logging and WebBlocker Prerequisites to using WebBlocker Configuring the WebBlocker service Activating WebBlocker Scheduling operational and non-operational hours Setting privileges Creating WebBlocker exceptions Manually downloading the WebBlocker database Translation What is dynamic NAT? Using simple dynamic NAT Enabling simple dynamic NAT Adding dynamic NAT entries Reordering dynamic NAT entries Using service-based NAT Enabling service-based NAT Configuring service-based NAT exceptions Configuring a service for incoming static NAT Adding external IP addresses Setting static NAT for a service Page Page Notification Ensure logging with failover logging WatchGuard logging architecture Designating Event Processors for a Firebox Adding an Event Processor Enabling Syslog logging Editing an Event Processor setting Removing an Event Processor Reordering Event Processors Synchronizing Event Processors Setting up the LiveSecurity Event Processor Installing the Event Processor program Running an Event Processor on Windows 98 Running an Event Processor on Windows NT or Windows 2000 Viewing the Event Processor Starting and stopping the Event Processor Setting the log encryption key Setting global logging and notification preferences Setting the interval for log rollover Scheduling log reports Controlling notification Customizing logging and notification by service or option Setting logging and notification for a service Setting logging and notification for default packet-handling options Setting logging and notification for blocked sites and ports Management Connecting a Firebox with OOB management Enabling the Management Station Preparing a Windows NT Management Station for OOB Preparing a Windows 95/98 Management Station for OOB Preparing a Windows 2000 Management Station for OOB Configuring the Firebox for OOB Establishing an OOB connection Page PART IV Administering a Security Policy Page Implementing Authentication Using host aliases Adding a host alias Modifying a host alias Removing a host alias What is user authentication? User authentication types How user authentication works Configuring Firebox authentication Configuring Windows NT Server authentication Configuring RADIUS server authentication Configuring CRYPTOCard server authentication Configuring SecurID authentication Using authentication to define remote user VPN access Firebox Monitors Starting Firebox Monitors and connecting to a Firebox Setting Firebox Monitors view properties Bandwidth Meter ServiceWatch StatusReport Page Page Page Authentication list Blocked Sites list HostWatch Connecting to a Firebox Replaying a log file Controlling the HostWatch display Modifying view properties Page Files Viewing files with LogViewer Starting LogViewer and opening a log file Setting LogViewer preferences Searching for specific entries Copying and exporting LogViewer data Displaying and hiding fields Working with log files Consolidating logs from multiple locations Copying log files Forcing the rollover of log fi les Setting log encryption keys Page Activity Starting Historical Reports Viewing the reports list Creating and editing reports Creating a new report Specifying report sections Specifying a report time span Consolidating report sections Setting report properties Exporting reports Exporting reports to HTML format Exporting a report to WebTrends for Firewalls and VPNs Exporting a report to a text file Using report filters Creating a new filter Editing a filter Deleting a filter Applying a filter Scheduling and running reports Scheduling a report Manually running a report Report sections and consolidated sections Page Consolidated Sections Page PART V WatchGuard Virtual Private Networking Page Private Networking Configuration checklist Using DVCP to connect to devices How does DVCP work? Basic and Enhanced DVCP Creating a tunnel to a SOHO or SOHO|tc Editing a tunnel to a device Removing a tunnel to a device Defining a Firebox as an Enhanced DVCP Client Branch office VPN with IPSec Configuring a gateway Configuring a tunnel with manual security Configuring a tunnel with dynamic security Creating an IPSec policy Changing IPSec policy order Configuring services for branch office VPN with IPSec Configuring WatchGuard VPN WatchGuard VPN configuration models Setting up WatchGuard VPN Changing remote network entries Preventing IP spoofing with WatchGuard VPN Configuring incoming services to allow VPN Verifying successful WatchGuard VPN configuration Remote User VPN Configuration checklist Configuring shared servers for RUVPN Adding remote access users Adding a member to built-in RUVPN user groups Configuring services to allow incoming RUVPN By individual service Using the Any service Configuring the Firebox for Remote User PPTP Activating Remote User PPTP Entering IP addresses for Remote User sessions Configuring the Firebox for Mobile User VPN Purchasing a Mobile User VPN license Entering license keys Preparing Mobile User VPN configuration files Saving the configuration to a Firebox Distributing the software and configuration files Configuring debugging options Debugging Mobile User VPN Debugging Remote User VPN (PPTP) User VPN Preparing the client computers Remote host operating system Windows 95/98 platform preparation Windows NT platform preparation Setting up RUVPN for Windows 2000 Configuring the remote host for RUVPN with PPTP Using Remote User PPTP Starting Remote User PPTP Running Remote User PPTP Configuring debugging options Page Index A B C D E F G H I J K L M N O P Page Q R S T U V W Z