Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 7761 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

clear firewall events after tuning and firewall sanity check

1RegularJoe

Hi,

I would like to know how you guys do the clearing of firewall events.  I have a lot of apple devices and they were kicking up NTP firewall errors until I made a rule that allowed NTP out my network.  It seems more likely that for firewall tuning you would allow all outbound NAT connections for home users but log them, then look at the highest traffic hitting the final rule and if that traffic is valid then make a rule above the last and let that thru.  Do the same thing the next day or week until the final drop rule has very little or NO traffic in it.

The next thing is the firewall reporting.

Is there an easy way to analyze(hint I am suggesting separate inbound and outbound GUI presentations on the web admin dashboard ):

1) outbound firewall events(to see if I need to tweak and tune some of the firewall roles for outbound NATed traffic)

2) inbound firewall events(just to make sure my geolocation rules are working)

Thanks,

Joe



This thread was automatically locked due to age.
Parents
  • 0

    To clear events in reporting, the only supported way is to change the retention period at Logging & Reporting > Reporting Settings > Settings. For historical information, built-in firewall reports can be found at Logging & Reporting > Network Protection > Firewall. If you require more detailed information than is available in the pre-canned reports, you can parse through the raw Firewall Log using 3rd party software, your own scripting ability, or grep/awk from the shell.  For live information you can use the live logs and Flow Monitor (search in the built-in help to learn more about Flow Monitor).

    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Reply
  • 0

    To clear events in reporting, the only supported way is to change the retention period at Logging & Reporting > Reporting Settings > Settings. For historical information, built-in firewall reports can be found at Logging & Reporting > Network Protection > Firewall. If you require more detailed information than is available in the pre-canned reports, you can parse through the raw Firewall Log using 3rd party software, your own scripting ability, or grep/awk from the shell.  For live information you can use the live logs and Flow Monitor (search in the built-in help to learn more about Flow Monitor).

    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Children
  • 0 in reply to Scott_Klassen
    Scott,

    For sanity checking and tuning I like clearing the counters the same as on a Cisco router/switch interface I am trying to troubleshot. I will use that tip.

    So this morning I go and look and I have a lot of events, top 98/100 are from China. I have GEOIP block set to block ALL of China for inbound and outbound. I thought if I had a GEOIP block setup those would never hit the firewall or get logged they just get dropped.

    Thanks,
    Joe
Unfiltered HTML