: Log Data Center Traffic That Matches No Interzone Rules
Focus
Focus

Log Data Center Traffic That Matches No Interzone Rules

Table of Contents

Log Data Center Traffic That Matches No Interzone Rules

By default, the firewall denies traffic between data center zones (interzone traffic) that matches no Security policy allow rule. Log and examine this traffic to identify attempted attacks and also traffic you may want to allow.
Traffic that doesn’t match any of the Security policy rules you configure matches the predefined interzone-default block rule at the bottom of the rulebase and is denied. To gain visibility into traffic that doesn’t match a rule you explicitly configured, enable logging on the interzone-default rule. Logging this traffic gives you the opportunity to examine access attempts that you have not explicitly allowed, which may identify attack attempts or traffic for which you want to modify an allow rule.
  1. Select the interzone-default row in the rulebase and click
    Override
    to enable editing the rule.
  2. Select the
    interzone-default
    rule name to edit the rule.
  3. On the Actions tab, select
    Log at Session End
    and click
    OK
    .
  4. Create a custom report to monitor traffic that hits this rule.
    1. Select
      Monitor
      Manage Custom Reports
      .
    2. Add
      a report and give it a descriptive
      Name
      . In this example, the name is
      Log Interzone-Default Rule
      .
    3. Set the
      Database
      to
      Traffic Summary
      .
    4. From
      Available Columns
      , add
      Source Zone
      ,
      Destination Zone
      ,
      Sessions
      ,
      Bytes
      ,
      Application
      ,
      Risk of App
      ,
      Rule
      , and
      Threat
      to the
      Selected Columns
      list. If there are other types of information you want to monitor, select those as well.
    5. Select the
      Scheduled
      box.
    6. Set the desired
      Time Frame
      ,
      Sort By
      , and
      Group By
      values. In this example, the selected values are
      Last 7 Days
      ,
      Threats
      and
      App Category
      , respectively.
    7. Define the query to match traffic that matches the interzone-default rule:
      (rule eq interzone-default)
      The resulting custom report settings look like this:
    8. Commit
      the changes.

Recommended For You