Log Intra Data Center Traffic That Matches the Intrazone
Data centers are a good place for attackers to hide because
security often focuses on users and overlooks servers. Log east-west
traffic between servers and look for anomalous behaviors that may
indicate the presence of an attacker.
By default, all intrazone traffic (source
and destination in the same zone) is allowed. After the firewall
evaluates Security policy, it either allows traffic controlled by
application whitelist rules, denies traffic controlled by block
rules, or if intrazone traffic matches no rules, the firewall allows
it by default. (The firewall blocks interzone traffic by default.)
Because of the valuable nature of data center assets, the best practice
is to monitor all traffic inside the data center between data center
servers, including traffic allowed by the intrazone default allow rule.
gain visibility into this traffic, enable logging on the intrazone-default
rule when it applies to traffic within zones inside the data center.
Logging this traffic gives you the opportunity to examine access
that you have not explicitly allowed and which you may want to either
explicitly allow by modifying a whitelist rule or explicitly block.
Select the intrazone-default row in the rulebase
to enable editing the
name to edit the rule.
On the Actions tab, select
Log at Session End
Create a custom report to monitor traffic that hits this
rule for the internal data center zones.
Manage Custom Reports
a report and give it a descriptive
In this example, the name is
Log Intrazone-Default Rule-DC
list. If there are other
types of information you want to monitor, select those as well.
Set the desired
values. In this example, the selected
Define the query to match traffic that matches the intrazone-default
rule for the data center zones:
(rule eq interzone-default) and ((zone eq Web-Server-Tier-DC) or (zone eq App-Server-Tier-DC) or (zone eq DB-Server-Tier-DC))
query filters for traffic that matches the interzone default rule
and also matches any of the three internal data center zones that
we defined. Because the default
zones, the report shows the zone for each session. In a real-world
data center, you would probably have more zones and you would add
each zone to the query. The resulting custom report settings look