06-14-2013 10:51 AM
Hi,
when I have a global clean-up rule that blocks/logs all unwanted traffic, my firewall management traffic (DNS lookups, PAN-DB updates etc) stop working if I configure it to use any other interface but the dedicated management ports. So I added a lot of rules to allow this traffic. Which is really not what I want. I also see inconsistencies. For example, SMTP traffic from the firewall (for sending alarm emails) seems to work without having a security rule for it (destination is directly connected inside a DMZ), while PAN-DB lookups (to the internet) need a security rule. Same for DNS. This is really confusing and inconsistent.
Are there any guidelines or best practices on how to set this up?
Thanks
06-14-2013 12:25 PM
The general recommendation is to not use a clean-up rule at all. The firewall allows all same-zone traffic by default, and denies all intra-zone traffic. Unless you have a specific requirement to log this traffic, a generic "deny all" policy is not needed.
If you do have that requirement, my recommendation is to make specific policies that exclude same-zone traffic. For example, if you have 3 zones (trust, untrust, dmz) you would make 3 policies:
Src: Trust; Dst: untrust or dmz; Deny
Src: DMZ; dst: untrust or trust; Deny
Src: Untrust; dst: trust or dmz; Deny
This gives you the logging, but prevents the issue you are running into by allowing same-zone traffic. When the firewall makes an outbound connection on a public L3 interface, the source and destination are the same zone and thus your cleanup rule denies it.
Hope this helps,
Greg
06-14-2013 12:52 PM
Thanks Greg, that makes sense. I am going to try that out.
One more question: If it is recommended to not use any cleanup rules at all and you effectively turn off all logging for dropped packets that way, how does this impact reporting and the ACC?
06-14-2013 01:44 PM
Rule logging doesn't affect ACC data ().
It does, however, affect what shows up under Monitor/Logs. As far as reporting is concerned, it depends on which database you use. The summary/statistics databases don't rely on rule logging. Reports generated from the Detailed databases pull from the same database where the rule logging occurs. (As a side-note, this is the reason why it takes more time to run a report against the detailed logs - as the reporting engine must parse through each and every applicable log entry. Reporting from the Summary databases is much quicker, but doesn't have quite as much data as the detailed logs.. ie: src/dst port information, etc.)
-JV
06-14-2013 01:55 PM
Excellent, thank JV. I think I am going for dedicated cleanup rules in each zone-context to get more details. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
