User guide
Chapter 13: Setting Up Logging and Notification
172 WatchGuard Firebox System
both flexible and powerful. You can configure your firewall to log and
notify a wide variety of events, including specific events that occur at the
level of individual services. For more information on logging, see the
following collection of FAQs:
https://support.watchguard.com/advancedfaqs/log_main.asp
Developing Logging and Notification Policies
When creating a logging policy, you spell out what gets logged and when
an event or series of events warrants sending out a notification to the on-
duty administrator. Developing these policies simplifies the setup of
individual services in the WatchGuard Firebox System. If you have fully
mapped out a policy, you can more easily delegate configuration duties
and ensure that individual efforts do not contradict the overall security
stance or logging and notification policies.
Logging policy
Specifically, the logging policy delineates:
• Which events to log
• Which service events to log
• Which servers are allocated as log hosts
• How large a log file is allowed to become and how often a new log file
is created
In general, you want to log only the events that might indicate a potential
security threat, and ignore events that would waste bandwidth and server
storage space. This generally translates into logging spoofs, IP options,
probes, and denied packets, and not logging allowed packets. Allowed
packets should not be indicative of a security threat. Furthermore,
allowed traffic usually far exceeds the volume of denied traffic and would
slow response times as well as causing the log file to grow and turn over
too quickly.
WatchGuard provides the option to log allowed events primarily for
diagnostic purposes when setting up or troubleshooting an installation.
Or, you might have a situation such as a very specialized service that uses
an obscure, very high port number, and the service is intended for use