Table of Contents
Advertisement
Chapter 9: Configuring Security Policies
NOTE: You can only apply traffic shaping to rules whose destination zone has a single
interface bound to it. Security zones that contain subinterfaces or that contain more
than one physical interface do not support traffic shaping.
For more information about Traffic Shaping, refer to the Concepts & Examples ScreenOS
Reference Guide.
Enabling Logging and Counting for Firewall Rules
A good security policy generates enough log entries to fully document only the important
security events on your network. However, if you need to keep a record of all log entries
for archiving and accountability, you can design your rule to log every security event. For
critical events, you might even want to be notified immediately by e-mail or set an alert
to appear in the log entry.
Log entries appear in real-time in the Log Viewer and are also used in the Log Investigator
for cross-tabulation of security events. Your goal is to fine-tune the notifications in your
security policy to your individual security needs.
Configuring Logging and Alerts
To log an event for a rule, enable logging. Each time your security device matches network
traffic to the rule, the device creates a traffic log entry that describes that event and NSM
displays the traffic log entry in the Log Viewer. You can enable logging when a session is
initialized, closed or both on a security device.
Depending on your security needs, you might want NSM to provide additional notification
when a rule is matched, such as an alert in the log entry. An alert is a notification icon
that appears in a log entry in the Log Viewer. When you enable alerts in your firewall rule
and traffic matches that rule, the device generates a traffic log entry that includes an
alert. Alerts can help you quickly identify specific network traffic, such as critical severity
attacks.
You must enable logging before you can enable alerts.
Configuring Counting and Alarms
Counting and alarms work together to help you track the amount of traffic that is matching
your firewall rule. Counting enables the device to count the number of bytes in network
traffic that matches the firewall rule. Using this data, the device can then generate alarms
that notify you when the matching network traffic falls outside your predefined byte
range.
To set an alarm, enable counting and specify the minimum and maximum byte thresholds
for matching network traffic. You can specify a predefined number of bytes per second,
number of Kilobytes per minute, or both. Each time your security device detects network
traffic that exceeds the alarm threshold in the rule, the device generates an alarm log
entry for that describes that event and displays it in the Log Viewer.
You must enable counting before you can enable alarms. Although you can enable
counting without also enabling alarms, NSM does not use the counting data except to
trigger alarms. If you do not intend to use alarms, you should leave counting disabled.
Copyright © 2010, Juniper Networks, Inc.
447
Advertisement
Table of Contents
