Log Data Center Traffic That Matches No Interzone Rules
By default, the firewall denies traffic between data center zones (interzone traffic) that matches no Security policy allow rule. Log and examine this traffic to identify attempted attacks and also traffic you may want to allow.
Traffic that doesn’t match any of the Security policy rules you configure matches the predefined interzone-default rule at the bottom of the rulebase and is denied. To gain visibility into traffic that doesn’t match a rule you explicitly configured, enable logging on the interzone-default rule. Logging this traffic gives you the opportunity to examine access attempts that you have not explicitly allowed, which may identify attack attempts or traffic for which you want to modify a whitelist rule to allow.
- Select the interzone-default row in the rulebase and click Override to enable editing the rule.
- Select the interzone-default rule name to edit the rule.
- On the Actions tab, select Log at Session End and click OK.
- Create a custom report to monitor traffic that
hits this rule.
- Select MonitorManage Custom Reports.
- Add a report and give it a descriptive Name. In this example, the name is Log Interzone-Default Rule.
- Set the Database to Traffic Summary.
- Select the Scheduled box.
- From Available Columns, add Application, Risk of App, Rule, and Threat to the Selected Columns list. If there are other types of information you want to monitor, select those as well.
- Set the desired Time Frame, Sort By, and Group By values. In this example, the selected values are Threats and App Category, respectively.
- Define the query to match traffic that matches the interzone-default
(rule eq interzone-default)The resulting custom report settings look like this:
- Commit the changes.
Step 5: Enable Logging for Traffic that Doesn’t Match Any...
Step 5: Enable Logging for Traffic that Doesn’t Match Any Rules Traffic that does not match any of the rules you defined will match the ...
Log Intra Data Center Traffic That Matches the Intrazone Al...
Data centers are a good place for attackers to hide because security often focuses on users and overlooks servers. Log east-west traffic between servers and ...
Log and Monitor Data Center Traffic
Use logging and monitoring tools to find out which applications are in use, how they behave, and who is really on your data center network ...
Create Data Center Traffic Block Rules
Block traffic you know you don’t want in your data center and use block rules to discover unknown applications and users. ...
Monitor Data Center Block Rules and Tune the Rulebase
Monitor traffic that you explicitly block so that you can investigate potential attacks and evaluate whether you should allow any of the blocked traffic. ...
What Data Center Traffic to Log and Monitor
The types of data center traffic you should log and monitor, the tools you can use to analyze the traffic, and how to best utilize ...
Remove the Temporary Rules
Remove the Temporary Rules After several months of monitoring your initial internet gateway best practice security policy, you should see less and traffic hitting the ...
Order the Data Center Security Policy Rulebase
When traffic matches a Security policy rule, the firewall takes an action and the traffic hits no other rules. Incorrectly ordering the rulebase can allow ...
Security Policy Security policy protects network assets from threats and disruptions and aids in optimally allocating network resources for enhancing productivity and efficiency in business ...