ProCurve Secure Router OS Firewall—Protecting the Internal, Trusted Network
Specifying How Many Policy Matches Generate a Log
The Secure Router OS firewall is a stateful-inspection firewall that supports
packet filtering. You customize filters, or ACPs, that the firewall uses to
determine whether it should forward or drop each packet that arrives on an
interface. The firewall automatically produces a log after it matches 100
packets to an ACP. This setting is the policy log threshold.
When you apply an ACP to an interface, all packets are filtered. Policy logs
show how many packets are dropped and how many are allowed to pass.
Dropped packets, unlike those that produce attack logs, do not necessarily
have the earmarks of an attack: they are simply to or from hosts that the
interface's access policy does not permit. A policy log has an informational
event priority.
You can monitor the traffic passing through your router by examining the
policy logs. As with attack logs, the lower you set the threshold, the more
precise, moment-to-moment picture you receive about your system. On the
other hand, setting the threshold too low can clutter the event-history log with
unnecessary information and consume processing power.
To set the policy log threshold, enter:
Syntax: ip firewall policy-log threshold <number of matches>
You can set the threshold from 1 to 4,294,967,295. For example:
ProCurve(config)# ip firewall policy-log threshold 150
Forwarding Logs to a Syslog Server
Syslog servers collect information about devices on a network. You can then
analyze this information for a picture of network functions as a whole. The
ProCurve Secure Router can log events to a syslog server. (See Figure 4-7.)
Syslog
server
local2
Log
Figure 4-7. Forwarding Logs to a Syslog Server
Router
Failed connection
Configuring Logging
4-27