Chapter 13. Logging
Ingate Firewall can log different types of traffic, attempts to connect and other events. You can select to have the logs stored on the firewall's local hard drive, in which case they can be queried. When the firewall's hard drive gets full, it removes the oldest data to make space for saving new data.
You can also clear the logs manually by running the installation program (see chapter 3, Installing Ingate Firewall) and select to Reset the rest of the configuration and 3. Revert to the factory configuration. NB: This will clear the logs, remove all configuration on the firewall and then apply the configuration set during the running of the installation program.
Ingate Firewall 1200 has no hard drive, but saves the logs to the memory, which means that the log disappears at reboot.
For traffic that uses the TCP protocol, only the first packet is logged, the one that initiates the connection. For the UDP and ICMP protocols, all packets are logged, except when the UDP packets are let through using Dynamic session management, in which case only the first packet is logged. In this section, you specify what you want to log and alarm and study the logs. Logging of events is also configured under Access Control, Rules and Relays.
Display Log
Here, you can view the logs. You select the type of traffic you want to study by selecting which packets should be processed. You can select packets by IP addresses, IP protocols and whether they were allowed to pass the firewall or not. Only packets matching all three criteria are shown.
Packet type selection
You can limit the selection to only allowed packets or rejected/discarded packets, or a subset of these. For example, you can select allowed, un-NAT:ed packets only.
IP address selection
You can limit the selection by specifying certain IP addresses.
In these fields, enter a single IP address (e. g., 10.3.27.3), a range of IP addresses (e. g., 10.3.27.1-10.3.28.254), an IP address followed by a netmask (e. g.,10.3.27.0/24), a combination of these, or nothing at all. If a field is empty, all IP addresses are selected.
If you want to study all traffic except the one to or from a specific computer or group of computers, enter the IP address(es) here and mark the "not this address" box.
The selection can be modified by the control boxes under the fields A and B:
| A src | Packets from the IP address in field A matches. Field B is ignored. |
| A dst | Packets to the IP address in field A matches. Field B is ignored. |
| A any | Packets to or from the IP address in field A matches. Field B is ignored. |
| A to B | Packets from A to B matches. |
| B to A | Packets from B to A matches. |
| Between A&B | Packets from A to B, or from B to A, matches. |
| not this combination | Packets that do not match the given combination of A and B are shown in the log. |
If you, for example, want to study all packets to or from 10.3.27.18, except those to the file server 10.3.27.2, you should fill in the form like this:
Protocl/port selection
You can limit the selection by specifying certain protocols.
All IP protocols
No restriction regarding protocols.
TCP/UDP
When selecting TCP or UDP, you can choose all packets or packets to certain ports only.
In these fields, you can enter a single port number (32), a range of port numbers (1-1023), a list of port numbers and ranges separated by commas (53, 1024-65535) or nothing at all. If the field is empty, any port will match. See appendix G, Lists of ports, ICMP and protocols, for more information on port numbers.
If you want to study all traffic except the one to or from a specific port or group of ports, enter the port number(s) here and mark the "not this port" box.
The selection can be modified by the control boxes under the fields A and B:
| A src | Packets from the port number in field A matches. Field B is ignored. |
| A dst | Packets to the port number in field A matches. Field B is ignored. |
| A any | Packets to or from the port number in field A matches. Field B is ignored. |
| A to B | Packets from A to B matches. |
| B to A | Packets from B to A matches. |
| Between A&B | Packets from A to B, or from B to A, matches. |
| not this combination | Packets that do not match the given combination of A and B are shown in the log. |
If you, for example, want to search for all packets to a web server, but not packets on the "normal" client and server ports in your environment, fill in the form like this:
ICMP
ICMP packets contain a type field and a code field. When searching for ICMP packets, you can select all packets or only those matching certain criteria.
In the type and code fields, you can enter a single number (e. g., 5), a range of numbers (e. g., 5-10), a list of numbers and ranges, separated by commas (e. g., 5, 10-20) or nothing at all. If the field is empty, any type or code will match. See appendix G, Lists of ports, ICMP and protocols, for more information on ICMP types and codes.
If you want to study all traffic except the one of a certain type/code, enter the type/code number(s) here and mark the "not" box.
ESP
ESP is an authentication/encryption protocol. Select this if you want to search for encrypted packets.
Note that you must have selected a log class which saves to local file, for encrypted packets, to be able to display them here.
Protocol number
Here, you enter the number(s) of the protocols you want to search for. You can enter a single number (e. g., 5), a range of numbers (e. g., 5-10), a list of numbers and ranges, separated by commas (e. g., 5, 10-20) or nothing at all. If the field is empty, any protocol will match. See appendix G, Lists of reserved ports, ICMP types and codes, and Internet protocols, for more information on protocol numbers.
If you want to study all traffic except the one over a certain protocol or protocols, enter the protocol number(s) here and mark the "not" box.
Beside the boxes
On the right-hand side of the boxes, select time interval and event for the log display.
Show newest at top
Choosing Show newest at top will display the log in reverse order, i. e., the latest log event will be displayed first.
Display log from
You can limit the selection by a time interval. You can enter a date, a time or both to set an interval for the log display. If you leave the date field blank and enter a time in the corresponding time field, today's date is used. If you leave the time field blank and enter a date in the date field, the time is set to 00:00:00. If both fields are left blank, all events back to the log start will be displayed.
The date is written as a year with two or four digits, month (01-12) and day (01-31). The optional punctuation between year, month and day must be dash (-). Time is written as two digits for the hour, two digits for the minute and possibly two digits for the second, although the seconds can be left out. The optional punctuation between hours, minutes and seconds must be colon (:) or period (.).
Until
You can enter a date, a time or both to set an interval for the log display. If you leave the date field blank and enter a time in the corresponding time field, today's date is used. If you leave the time field blank and enter a date in the date field, the time is set to 23:59:59. If both fields are left blank, all events until the latest log event will be displayed.
Periodical search
Periodical search will cause new events to appear automatically in the log display. You enter the time interval for updating in the Seconds until next search field. This will only affect log display on your screen.
Show this
You can select the events you want to search for. NB: You must select IP packets as selected to get a log display of the packets selected in the boxes.
Display log
Below the boxes you can choose to display the log on your computer screen or export it to a file. For screen display, enter the desired number of lines per page and press Display log.
Export log
You can also save the log to a file. Enter the maximum size of the log file. If you must have the latest log events, select Show newest at top.
You can choose between different file formats; TAB-separated file, comma-separated file and WELF (WebTrends Enhanced Log Format). These are text formats, which means that you can import the files in a text editor for analysis. TAB- and comma-separated files contain all information from the log file. WELF is an open standard used by several log analyzer tools. However, all WELF compatible syslog messages will not be exported. You can find a thorough description of the file formats on http://www.ingate.com/logformat.php.
WELF uses the firewall name you enter on the Basic Configuration page. Some WELF applications have licenses restricted to a certain number of firewalls. This can cause trouble if you change the name of your firewall.
If you export a log to WELF with Show newest at top selected, this may become troublesome when using some WELF applications, which cannot handle events in reverse order.
Press Export log and enter the file name and path to export to file.
Clear form
Resets the form.