Developing Logging And Notification Policies; Logging Policy - Watchguard Firebox X1000 User Manual

Chapter 12: Setting Up Logging and Notification
Logging and notification are crucial to an effective network
security policy. Together, they make it possible to monitor
your network security, identify both attacks and attackers,
and take action to address security threats and challenges.
WatchGuard logging and notification features are both
flexible and powerful. You can configure your firewall to
log and notify a wide variety of events, including specific
events that occur at the level of individual services. For
more information on logging, see the following collection
of FAQs:
https://support.watchguard.com/advancedfaqs/log_main.asp

Developing Logging and Notification Policies

When creating a logging policy, you spell out what gets
logged and when an event or series of events warrants
sending out a notification to the on-duty administrator.
Developing these policies simplifies the setup of individual
services in the WatchGuard Firebox System. If you have
fully mapped out a policy, you can more easily delegate
configuration duties and ensure that individual efforts do
not contradict the overall security stance or logging and
notification policies.

Logging policy

Specifically, the logging policy delineates:
• Which events to log
• Which service events to log
• Which servers are allocated as log hosts
• How large a log file is allowed to become and how
often a new log file is created
In general, you want to log only the events that might indi-
cate a potential security threat, and ignore events that
would waste bandwidth and server storage space. This
generally translates into logging spoofs, IP options, probes,
200 WatchGuard Firebox System