Default deny logging question

Reply
L2 Linker

Default deny logging question

I notice that if a connection comes in and does not hit any policy correctly I do not see the deny in the logs. I think this is because the default behavior of the intrazone-default  rule is not to log anything. Is there a down side to setting this to log events so that we can see when a connection fails? Sometimes from a troubleshooting perspective this would be helpful but I wonder if its not enabled for a reason by default. I assume because it will generate a lot of logs but was wondering what everyone else thinks before I do this. 

 

 

Tags (2)
L7 Applicator

Re: Default deny logging question

Hello,

I always turn on logging so I can see traffic even if its denied. I honestly never use the default inter/intra policies and put a DENY ALL one as my last policy and only then allow the traffic I want.

 

The down side is the logs will fill up faster and the PAN wont keep as much. But its worth that cost.

 

Cheers!

L6 Presenter

Re: Default deny logging question

I have used both intrazone and block-alll policy.

i prefer to now use the custom block-all policy and leave the intrazone stuff alone.

 

we use panorama for our logs so this policy is not set for forwarding. It just logs locally.

 

you can of course just enable/disable when needed for diags.

L2 Linker

Re: Default deny logging question

I have a deny all and log as the last rule post rule in Panorama. It applies to all firewalls, so the default inter-zone and intra-zone rules never get hit. More logs is the double-edged sword. If I don't want to see something, I have been known to put in a rule to block traffic and not forward it to Panorama.

L2 Linker

Re: Default deny logging question

Hi James,

 

from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before.

 

The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs.

 

Kind regards,


Rene

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!