Notification Policy - Watchguard Firebox X1000 User Manual

Vpn gateway

Hide thumbs Also See for Firebox X1000:

Reference manual (264 pages)

Quick start manual (38 pages)

Hardware manual (30 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

Table of Contents

Developing Logging and Notification Policies

and denied packets, and not logging allowed packets.

Allowed packets should not be indicative of a security

threat. Furthermore, allowed traffic usually far exceeds the

volume of denied traffic and would slow response times as

well as causing the log file to grow and turn over too

quickly.

WatchGuard provides the option to log allowed events pri-

marily for diagnostic purposes when setting up or trouble-

shooting an installation. Or, you might have a situation

such as a very specialized service that uses an obscure,

very high port number, and the service is intended for use

only by a small number of people in an organization. In

that case you might want to log all traffic for that service so

you can monitor or review that service activity.

Not all denied events need to be logged. For example, if

incoming FTP denies all incoming traffic from any source

outside to any destination inside, there is little point in log-

ging incoming denied packets. All traffic for that service in

that direction is blocked.

Notification policy

The most important events that should trigger notification

are IP options, port space probes, address space probes,

and spoofing attacks. These are configurable in the Default

Packet Handling dialog box, described in "Default Packet

Handling" on page 178.

Other notifications depend on your Firebox configuration

and how much time is available for interacting with it. For

example, if you set up a simple configuration that enables

only a few services and denies most or all incoming traffic,

only a few circumstances warrant notification. On the other

hand, if you have a large configuration with many services;

with many allowed hosts or networks for incoming traffic;

popular protocols to specific, obscure ports; and several fil-

tered services added of your own design; you will need to

set up a large, complex notification scheme. This type of

configuration is more vulnerable to attack. Not only are

User Guide

201

Table of Contents

Show Quick Links

Hide quick links:

Table of Contents

Notification Policy - Watchguard Firebox X1000 User Manual

Notification policy

Hide quick links:

Related Manuals for Watchguard Firebox X1000

Related Content for Watchguard Firebox X1000

This manual is also suitable for:

Table of Contents