similar to that in figure 33 is displayed.
figure 33 view log window
the log is displayed as a list in a table, but may appear differently when viewed with various browsers. you may have to adjust the browser’s font size and other viewing characteristics to display the log data most efficiently.
depending on the browser, you can copy entries from the log and paste them into documents. alternatively, use the e-mail log function and review the log with an e-mail client rather than with a web browser.
each log entry contains the date and time of the event, and a brief message describing the event. some entries contain additional information. much of this information refers to the internet traffic passing through the internet firewall.
1 tcp, udp, or icmp packets dropped
these log messages describe all traffic blocked from the internet to the lan. the source and destination ip addresses of the packet is shown. if the packet was tcp or udp, the port number, in parentheses, follows each address. if the packet was icmp, the number in arentheses is the icmp code. the address information is usually preceded by the name of the service described by either the tcp or udp port, or the icmp type in quotation marks.
2 web, ftp, gopher, or newsgroup blocked
the lan ip and ethernet addresses of a machine that attempted to connect to the blocked site or newsgroup is displayed. in most cases, the name of the site which was blocked will also be shown. in addition, there is a box labeled rule which contains one or more lowercase letters. these correspond to the categories in the web site filter as follows:
a = violence/profanity
b = partial nudity
c = full nudity
d = sexual acts
e = gross depictions
f = intolerance
g = satanic/cult
h = drug culture
i = militant/extremist
j = sex education
k = gambling/illegal
l = alcohol/tobacco
see chapter 5 for more information about these categories.
3 activex, java, or code archive blocked the ip addresses of the source machine and the destination server is shown.
when activex or java code is compressed into an archive it is not always possible to differentiate between the two. if either activex or java blocking is enabled, all code archives are blocked.
1 cookie blocked
the ip addresses of the local machine and the remote server are shown.
2 ping of death, ip spoof, and syn flood attacks the ip address of the destination machine which may be under attack, as well as the source address which appears in the packet are shown. in these attacks, the source address shown is usually fake and usually cannot be used to determine the source of the attack.
varying conditions on the internet can produce conditions which may cause the appearance of an attack, even when no-one is deliberately attacking one of the machines on the lan or dmz. this is particularly true for syn flood attacks.
if the log message calls the attack ”possible”, or it only happens on an irregular basis, then there is probably no attack in progress. if the log message calls the attack ”probable”, contact the isp to see if they can track down the source of the attack. in either case, the lan and dmz are protected and you do not need to take further steps.