Log Data Center Traffic That Matches No Interzone Rules
By default, the firewall denies traffic between data
center zones (interzone traffic) that matches no Security policy
allow rule. Log and examine this traffic to identify attempted attacks
and also traffic you may want to allow.
Traffic that doesn’t match any of the Security
policy rules you configure matches the predefined interzone-default
rule at the bottom of the rulebase and is denied. To gain visibility into
traffic that doesn’t match a rule you explicitly configured, enable
logging on the interzone-default rule. Logging this traffic gives
you the opportunity to examine access attempts that you have not
explicitly allowed, which may identify attack attempts or traffic
for which you want to modify a whitelist rule to allow.
- Select the interzone-default row in the rulebase and clickOverrideto enable editing the rule.
- Select theinterzone-defaultrule name to edit the rule.
- On the Actions tab, selectLog at Session Endand clickOK.
- Create a custom report to monitor traffic that hits this rule.
- Select .
- Adda report and give it a descriptiveName. In this example, the name isLog Interzone-Default Rule.
- Set theDatabasetoTraffic Summary.
- Select theScheduledbox.
- FromAvailable Columns, addApplication,Risk of App,Rule, andThreatto theSelected Columnslist. If there are other types of information you want to monitor, select those as well.
- Set the desiredTime Frame,Sort By, andGroup Byvalues. In this example, the selected values areThreatsandApp Category, respectively.
- Define the query to match traffic that matches the interzone-default rule:(rule eq interzone-default)The resulting custom report settings look like this:
- Committhe changes.
