Manualshelf

User guide

ManualsBrandsWatchguard ManualsComputer equipmentFirebox X1000
181182183184185186187188189190
Developing Logging and Notification Policies
User Guide 173
only by a small number of people in an organization. In that case you
might want to log all traffic for that service so you can monitor or review
that service activity.
Not all denied events need to be logged. For example, if incoming FTP
denies all incoming traffic from any source outside to any destination
inside, there is little point in logging incoming denied packets. All traffic
for that service in that direction is blocked.
Notification policy
The most important events that should trigger notification are IP options,
port space probes, address space probes, and spoofing attacks. These are
configurable in the Default Packet Handling dialog box, described in
“Default Packet Handling” on page 142.
Other notifications depend on your Firebox configuration and how much
time is available for interacting with it. For example, if you set up a simple
configuration that enables only a few services and denies most or all
incoming traffic, only a few circumstances warrant notification. On the
other hand, if you have a large configuration with many services; with
many allowed hosts or networks for incoming traffic; popular protocols to
specific, obscure ports; and several filtered services added of your own
design; you will need to set up a large, complex notification scheme. This
type of configuration is more vulnerable to attack. Not only are there
many more services that require a notification policy, the high number of
routes through the Firebox increases the likelihood that the log host will
issue frequent notifications. If you set up a very accommodating firewall,
be prepared to spend a large amount of time interacting with your
security system or fixing security breaches.
To formulate a notification policy, look at the number and nature of the
services enabled for the Firebox, and how open or limited each service is.
In general, for the high-traffic proxies such as SMTP and FTP, you might
activate a repeat notification if the service rejects five to ten packets within
30 seconds. If you have set up a specialized service limited to traffic
between two or three hosts using a high port number, you might want to
activate notification on this service whenever it denies or passes a packet.