similar to that in figure 34 is displayed. alternatively select
log/alert settings from the home screen graphic.
figure 34 log settings window
1 mail server
to enable sending log or alert messages via e-mail, you must specify the numerical ip address of the smtp server. you can obtain this information from the internet service provider that you use to connect the network to the internet or use the dns lookup tool (see page 90) to find the ip address of the mail server, if you know its name. if you leave this box blank, log and alert messages are not sent via e-mail.
2 send log to
this is the e-mail address to which log files are sent and must be a fully qualified address, for example, username@3com.com. once sent, the log file is cleared from the internet firewall’s memory. if you leave this box blank, log messages are not sent by e-mail. you can configure the internet firewall to check on a weekly basis if new software is available for download. see “upgrading the software” on page 96 for more information. if there is a new software release, an e-mail notification is sent to this address.
3 send alerts to
alerts are events, such as an attack, which may warrant immediate attention. when an event generates an alert, a message is immediately sent to an e-mail account or e-mail pager. enter the e-mail address, for example, username@3com.com, to which alert messages are sent in this box. this may be a standard e-mail account or, quite often, a paging service. if you leave this box blank, alert messages are not sent by e-mail.
4 return address
enter an e-mail address in this box for the internet firewall to use as the return address for all log and alert messages sent. this serves two functions:
1 if the mail server has spam filtering enabled, a valid address may be required for mail to be delivered.
2 organizations with multiple internet firewalls may use different e-mail addresses to identify the source of the message. the default entry is: log@internet firewall
5 syslog server
in addition to the standard screen log, the internet firewall can write extremely detailed event log information to an external syslog server. syslog is an industry standard protocol used for capturing log information for devices on a network. the internet firewall’s syslog captures all screen log activity, plus every connection’s source and destination ip addresses, ip service, and number of bytes transferred. to support syslog, you must have an external server running a syslog daemon on udp port 514. syslog is a standard feature of unix.
enter the syslog server’s ip address in the syslog server box.
6 e-mail log now
immediately sends the log to the address in the send log to box and then clears the log.
7 clear log now
deletes the contents of the log.
8 send log
this pop-up menu is used to configure the frequency of log messages being sent as e-mail: daily, weekly, or only when the log is full. if the weekly or the daily option is selected, specify a time of day when the e-mail is to be sent. if the weekly option is selected, then also specify which day of the week the e-mail is to be sent. if the weekly or daily option is selected and the log fills up, it is automatically e-mailed to the send log to address and cleared.
9 when log is full
in some cases, the log buffer may fill up, which can happen if there is a problem with the mail server and the log cannot be successfully e-mailed. by default the internet firewall overwrites the log and discards its contents. however, you can choose to shut down the internet firewall, which prevents any further traffic from traveling through without being logged.
log categories
click this check box to enable or disable the generation of the following log message categories.
1 system maintenance
when enabled, log messages showing general system maintenance activity, such as administrator logins, automatic loading of web site filters, activation and restarting the internet firewall, are generated. this is enabled by default.
2 system errors
when enabled, log messages showing problems with dns, e-mail, and automatic web site filter loading are generated. this is enabled by default.
3 blocked web sites
when enabled, log messages showing web sites, newsgroups, or other services blocked by the web site filter, by keyword, or for any other reason are generated. this is enabled by default.
4 blocked java, activex, and cookies
when enabled, log messages showing java, activex, and cookies which are blocked by the internet firewall are generated. this is enabled by default.
5 user activity
when enabled, log messages showing any successful or unsuccessful user logins will be generated. this is enabled by default.
6 attacks
when enabled, log messages showing syn floods, ping of death, ip spoofing, and attempts to manage the internet firewall from the internet are generated. this is enabled by default.
7 dropped tcp
when enabled, log messages showing blocked incoming tcp connections are generated. this is enabled by default.
8 dropped udp
when enabled, log messages showing blocked incoming udp packets are generated. this is enabled by default.
9 dropped icmp
when enabled, log messages showing blocked incoming icmp packets are generated. this is enabled by default.
10 network debug
when enabled, log messages showing ethernet broadcasts, arp resolution problems, icmp redirection problems, and nat resolution problems are generated.
this category is intended for experienced network administrators. this is disabled by default.
11 alert categories
alerts are events, such as an attack, which may warrant immediate attention. when an event generates an alert, a message is immediately sent to the e-mail account defined in the send alerts to box on the log settings window (see page 85).
12 attacks
when enabled, all log entries that are categorized as an attack are generated as an alert message. this is enabled by default.
13 system errors
when enabled, all log entries that are categorized as a system error are generated as an alert message. this is enabled by default.
14 blocked web sites
when enabled, all log entries that are categorized as a blocked web site are generated as an alert message.
this is disabled by default.
use log redundancy filters
prevents duplicate consecutive log messages from being generated. because of network retry mechanisms, duplicate consecutive messages are common. if you select the use log redundancy filters check box, a log entry identical to the previous entry is not generated. this is enabled by default.
click update to send the configuration data to the internet firewall.