Define logging options for Access rules
Access rules can create a log or alert entry each time they match.
By default, logging options set in a previous Access rule with Continue as its action are used. If no such rule exists, Firewalls, Virtual Firewalls, Layer 2 Firewalls, and Virtual Layer 2 Firewalls log the connections by default. IPS engines and Virtual IPS engines do not log the connections by default. Each individual rule can be set to override the default values.
Logging for the closing of the connection can be turned on or off, or on with accounting information. You must collect accounting information if you want to create reports that are based on traffic volumes.
When the Log Server is unavailable, log entries are temporarily stored on the engine. When the engine is running out of space to store the log entries, it begins discarding log data in the order of importance. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Alert entries are the last log entries to be discarded. The settings for storing the logs temporarily on the engine are defined in the engine's log spooling policy.
For more details about the product and how to configure features, click Help or press F1.
Steps
- Double-click the Logging cell.
- Set the options.
- Click OK.
Logging - Select Rule Options dialog box
Use this dialog box to define Access rule logging options.
Option | Definition |
---|---|
Override Settings Inherited from Continue Rule(s) | When selected, overrides settings defined in Continue rules higher up in the policy. |
Log Level | Select one of these options:
|
Alert | When the Log Level is set to Alert, specifies the Alert that is sent. |
Severity | When the Log Level is set to Alert, allows you to override the severity defined in the Alert element. |
Connection Closing | Select one of these options:
|
Compress Logs | When enabled, generated entries are not logged and shown separately when the limits defined in the Max Log Rate or Max Burst Size are
reached. Instead, the NGFW Engine creates a single log entry that contains information about the total number of the generated log entries.
After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately.
|
Max Log Rate | The maximum number of separately logged entries per second. |
Max Burst Size | The maximum number of separately logged entries. |
Logging Enforcements | Options that control what information is included in the log data. |
Log User Information |
|
Log Network Applications |
Other TLS traffic is decrypted only if an Access rule enables decryption and there is no TLS Match with the Deny Decrypting option that excludes the traffic from TLS Inspection. |
Log URL Categories | Enables the logging of the URL categories that the traffic matches.
|
Log Endpoint Information |
Enables the logging of endpoint information.
|
Store Additional Protocol Details |
|