Configuring logs

There are two types of logs:

• Standard activity logs that are enabled by default and which can be configured in the module Configuration > Notifications > Logs - Syslog - IPFIX.
• Filter and NAT logs that are disabled by default and which can be configured in the module Configuration > Security policy > Filter - NAT:
  • In the window to edit filter rules, Action menu, General tab, Log level field,
  • In the window to edit NAT rules, Options menu, Log level field.
  
  Filter and NAT logs must only be enabled temporarily to diagnose issues.

Logs are saved locally by default on the hard disk or on an SD card. They can also be sent to a Syslog server or an IPFix collector.

1. Go to Configuration > Notifications > Logs - Syslog - IPFIX.
2. Switch on the ON/OFF switch depending on where you wish to send logs: local, Syslog and/or IPFix. For example, if you choose to view logs only through SIEM tools, enable a Syslog profile and disable local storage and the IPFIX collector.
   
   If local storage is disabled, only the most recent logs stored in the RAM (about 200 logs per category) can be viewed in the web administration interface on the firewall. Older logs will not be displayed.

All standard activity logs are enabled by default and can be viewed in the web administration interface. Only filter and NAT logs are disabled by default. Disable all logs that you do not need.

This feature is not available for IPFix collectors.

1. Go to Configuration > Notifications > Logs - Syslog - IPFIX.
   
2. For local storage, disable log families by double-clicking in the Enabled column in the table Configuration of the space reserved for logs. You can adjust the percentage of disk space according to your needs.
   For the Syslog server, disable log families by double-clicking in the Status column in Advanced properties.
   

   Logs disabled for local storage will not appear in the web administration interface of the firewall.

For more information, refer to the section Logs-Syslog-IPFIX in the User guide.

Traffic that goes through a filter or NAT rule generate logs by default in the Network connections log, or in the Application connections log if a plugin conducts application analyses in IPS or IDS mode. Only connections with a "Pass" action and in TCP/UDP are logged

To check the effectiveness of a filter or NAT rule, you can generate additional logs that do not appear in other logs:

• Logs of all traffic that a filter rule has blocked,
• Logs of all traffic to which address translation (NAT) has been applied,
• Logs of all traffic directly above the IP layer that matches a filter rule, regardless of whether it has been passed or blocked.

Enable verbose mode with care and only for the duration of the check, as a large volume of logs will be generated, including duplicates of standard activity logs. This may cause a log overflow and slow down the performance of the firewall.

Such logs appear in the Logs - Audit logs > Filtering monitoring menu in the web administration interface and are saved in the l_filter log file.

1. Go to the menu Configuration > Security policy > Filter - NAT.
2. Double-click in the Action column of the filter rule. The Editing rule window appears.
3. In the Action menu:
   • General tab, choose the Verbose (filter log) log level,
   • Advanced properties tab, Logs section, select the location where logs for the rule will be saved. Do not check Disk if you do not wish to save such logs locally.
   • Advanced properties tab, Logs section, select Count to generate statistics in the l_count log on the number of times a rule has been executed.
4. Confirm changes to the rule by clicking on OK, then click on Apply.
5. Run your check by looking up the Network traffic or Filtering views in the web administration interface, or in the /log/l_filter file.
6. In the General tab in the window to edit filter rules, reset the log level to the default value Standard (connection log).