Performance impact / Best Practice: Log firewall rules

Question

Hi there, 
 as the title says, i'm searching for information, how much the performance of a XGS (2100) firewall it will cost, if i activate the logging of most of our firewall rules? 
 I have in mind for many years, that logging of firewall rules should be only activated in cases, where you have to troubleshoot errors - because of a possible performance decrease. 
 But as our business grows, we want to be able to check logs some days back for troubleshooting or - in case of a possible attack from the outside - to check, which internal systems may have been accessed/attacked. 
 We run a XGS 2100-Cluster with about 50 local users and ~5 branch offices. The branch offices only access local servers and services; we don't route all traffic from there through our XGS. CPU is mainly at ~10-15% load. 
 I searched a little bit in the Sophos Community/Google, but i don't find any advice or facts (like: "i activated logging on 20 rules and have 10% more CPU used"); the little information i found, also in some Knowledge base-Articles from Sophos is, that logging firewall rules has "not many impact on the performance of the XG". 
 Actual, we don't use a external syslog server - it is planned for the future; but for now, i wan't to log with the XG itself. 
 Thanks in advance! 
 Bastian

PhilippRusch · Accepted Answer

My experience is the same like apijnappels , it doesn't cost that much. 
 And additionally, if you hunt for some error, you always wish you had turned logging on before and not "on demand". 
 My opinion: if that is slowing down your system, you need a bigger firewall model.

Michael Dunn · Answer

The reporting subsystem is called garner. Various services and component send logs to garner, which stores in a database for display in the Log Viewer and Reports. service debug logs are separate, text files on disk. garner has a system in place that limits the amount of log events it will accept per minute. It does this in order to prevent itself from taking too much resources. Every minute it will accept up to 60,000 log events. More than that it will drop the log events. Currently this limit is the same on every box - large and small. As far as I know in a future release the limit is increasing (for large boxes?). 
 The effect is that if an administrator put on lots of extra logging for firewall rules it will not result in high cpu / resource usage. Instead it will result in random log drops. Random because they could be logs from any subsystem (though if firewall is logging the most it is most likely firewall logs dropped). 
 The dropping of logs is not visible to the admin. I have seen this on many customer boxes and I frequently need to recommend to customers to reduce unnecessary firewall logging. This is in part because if I am trying to diagnose issues on their box it is hard if I cannot rely on logs appearing. It is more common to see dropped logs on larger/busier boxes. 
 If you want look at your own system, on the command line: grep "Drop events" /log/garner.log MESSAGE Aug 25 00:51:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 44285 MESSAGE Aug 25 00:52:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 131932 MESSAGE Aug 25 00:53:00Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '60001', Drop events count 42700 MESSAGE Aug 25 00:53:59Z [4151387584]: sethreshold_event[Sethreshold]SE COUNT: '3932', Drop events count 0 You can see here that once a minute it logs to the debug log. On this customer box in minute 1 there were 104,000 log events, the first 60,000 were logged and the remaining 44,000 dropped. The next minute there were 191,000 log events, then 102,000 events, then 4000 events. Events log can be bursty and in fact on this customer at this time of day 4000-5000 log per minute is most common. The garner protection of dropping logs does not affect them on their normal business but protects them from performance issues when the logging was 20x normal for 4 minutes. 
 Recommendations: 1) In Log Settings, disable the log for "Invalid Traffic". This is quite noisy and not useful unless you are trying to diagnose a problem. 
 2) In the Firewall Rules, take a look at the rules that are Action=Accept and that have the highest in/out byte count. Make sure those have Log firewall traffic off. Firewall Rules that have low traffic it is fine, and those that you are doing Drop or Reject you probably want to keep log on. You can use a filter for firewall rules to help find rules that have log on. 
 3) If you have a bottom Drop All rule I would only turn on logging if you are trying to diagnose an issue.

apijnappels · Answer

I'm not sure if and if so how much performance it costs, but we are logging almost all firewall rules on all of our firewalls. We have 2 sites with XG210 and XG230 with respectively 50 and 80 users and we have some smaller sites with smaller devices. 
 We don't notice any lagging on the firewalls and our 500Mbps line can be fully used if necessary. 
 We even have a drop rule with logging at the end of all rules since we find this very helpfull sometimes to figure out why something is not working (new applications that use their own ports to communicate to the outside world for example).

Mayur Makvana · Answer

Hello, 
 Thank you for contacting Sophos Community! 
 It is suggested to enable Firewall Logging to get the proper reporting for external connections. However, we must also consider the limitations we have for disk usage. 
 You must enable only the log settings most important for your reporting requirement. You can choose it from Configure -> System Services -> Log Settings: 
 https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/SystemServices/LogSettings/index.html 
 
 Additionally, you must consider the disk usage and hence choose the report retention period lower to tackle the high disk utilization from now on. You must review the settings from Monitor & Analyze -> Show Reports Settings -> Data Management: 
 
 Note: It is suggested to use external reporting like Central Firewall Reporting or External syslog server.

Performance impact / Best Practice: Log firewall rules

Top Replies