Focus

Internet Gateway Best Practice Security Policy

Step 5: Enable Logging for Traffic That Doesn’t Match Any Rules

Table of Contents

Step 5: Enable Logging for Traffic That Doesn’t Match Any Rules

Internet gateway traffic that flows between zones and that doesn't match the rules you defined matches the predefined interzone-default rule at the bottom of the rulebase and is denied. (The predefined intrazone-default allow rule matches traffic within the same zone by default; only traffic between different zones is denied by default.) To gain visibility into the traffic that doesn't match the allow and block rules you created, enable logging on the interzone-default rule:

Select the row with the interzone-default rule in the rulebase and Override the rule to edit it.
Select the interzone-default rule name to open the rule for editing.
On the Actions tab, select Log at Session End and then click OK.
To view the log information in one place, create a custom report to monitor traffic that matches the interzone-default rule:
1. Select MonitorManage Custom Reports.
2. Add a report and give it a Name that describes the content and purpose of the report.
3. Set the Database to Traffic Summary.
4. Select the Scheduled check box.
5. Set the Time Frame to specify the time period each report covers, set Sort By to sort the information by bytes, sessions, packets, or threats, and set Group By to determine how the information is grouped (by time, application, risk, etc.).
6. Add Rule, Application, Bytes, and Sessions to the Selected Columns list.
7. Define the query to match traffic that matches the interzone-default rule:
  
  (rule eq 'interzone-default')
Commit the changes you made to the rulebase.

Step 4: Create the Temporary Tuning Rules

Monitor and Fine-Tune the Policy Rulebase