Log Data Center Traffic That Matches No Interzone Rules
By default, the firewall denies traffic between data
center zones (interzone traffic) that matches no Security policy
allow rule. Log and examine this traffic to identify attempted attacks
and also traffic you may want to allow.
Traffic that doesn’t match any of the Security
policy rules you configure matches the predefined interzone-default
block rule at the bottom of the rulebase and is denied. To gain
visibility into traffic that doesn’t match a rule you explicitly
configured, enable logging on the interzone-default rule. Logging
this traffic gives you the opportunity to examine access attempts
that you have not explicitly allowed, which may identify attack
attempts or traffic for which you want to modify an allow rule.
Select the interzone-default row in the rulebase
and click
Override
to enable editing the
rule.
Select the
interzone-default
rule
name to edit the rule.
On the Actions tab, select
Log at Session
End
and click
OK
.
Create a custom report to monitor traffic that
hits this rule.
Select
Monitor
Manage Custom Reports
.
Add
a report and give it a descriptive
Name
.
In this example, the name is
Log Interzone-Default Rule
.
Set the
Database
to
Traffic
Summary
.
From
Available Columns
, add
Source
Zone
,
Destination Zone
,
Sessions
,
Bytes
,
Application
,
Risk
of App
,
Rule
, and
Threat
to
the
Selected Columns
list. If there are other
types of information you want to monitor, select those as well.
Select the
Scheduled
box.
Set the desired
Time Frame
,
Sort
By
, and
Group By
values. In this example,
the selected values are
Last 7 Days
,
Threats
and
App
Category
, respectively.
Define the query to match traffic that matches the interzone-default
rule:
(rule eq interzone-default)
The resulting
custom report settings look like this: