Community:Firewall logging recommendations
From Splunk Wiki
(Redirected from Apps:Firewall logging recommendations)
CAUTION: This article is work in progress
Depending on the use-case you are implementing, different logging needs to be enabled:
Ideally you want to turn full logging on to understand exactly what is happening in your environment. A logging myth around firewall logging is that logging permitted connections is not very useful. On the contrary. If you know what connections have been permitted, you can find: misconfigurations, use it for tracking down abuse, investigate security attacks where the firewall was configured to pass the traffic, etc.
| Use-case | Messages | Known Issues |
|---|---|---|
| Who connected to my servers? | passes | |
| Customer complains about not being able to access a Web site | passes going to the outside or blocks (if you want to see only what is blocked, but you cannot say for sure that there was no other problem | |
| Who made a configuration change? | Rule updates / ACL updates | |
| Who is knocking on my doors? | blocks | |
| Do we see any known "bad" sources trying to get in? | blocks and a list of "bad" IP addresses |
Known issues
- bandwidth: the more messages or eventtypes that are enabled on the firewall, the more data is being sent.
- storage: the more events are generated, the more is logged, the more storage is needed to capture the events.
- load on the box: the more events are enabled (and the more rules/ACLs are logging data), the more load is put on the firewall
- firewall capabilities (can it do that): Some types of messages cannot be generated on some firewalls. For example, password changes to a firewall are not always something you can log.
