This specifies the minimum amount of time between consecutive logs of similar
packets. Higher number means less logging, and a higher risk of ‘losing’
important information.
If log analysis is being performed, lowering this parameter value will
help improving the accuracy of the log analysis when searching for portscanning
attempts and doing performance/usage analysis.
This value should be experimented with; we recommend a setting at 30
seconds or lower if pos-sible.
Popup Alert Command
This specifies the command to be executed when an alert is issued. Default
value is ok, unless another specific action is wanted.
Mail Alert Command
This specifies the command(s) to be executed when Mail is specified as
the required alert action. Remem-ber: it may take some time before the
recipient receives a mail message, and the message must also be read.
Default setting is to send mail to the local root account, which normally
won’t exist on the system (…). IF there is a system for transferring SMTP
mail available, ‘root’ should be changed to ‘name-of-person-responsible@Company.com’.
Note: On NT machines there is no mechanism by default for sending mail.
One will have to be installed – this should be done before the firewall
is installed to reduce the possibility of vulnerable services being exposed.
SNMP Trap Alert Command
Specifies the command to be executed when SNMP is specified as the required
action. Remember that SNMP and SNMP traps are UDP based services, and does
not require a confirmation from the recip-ient of such an alert message.
The default value is also set to send such SNMP Traps to ‘localhost’, which
is the firewall system itself. This setting should be changed. Instead
of localhost, an IP address of an SNMP control unit (such as CA Unicenter
etc….) should be inserted.
Do not use DNS names, because doing so may allow an attacker to trick
the firewall to send the SNMP Trap message to the wrong recipient station,
due to failures or spoofed DNS information.
User Defined Alert Command
Specifies the command to be executed when “User-Defined” is defined as
the required alert action.
This setting may be used for invoking third-party applications, such
as pager messages or SMS messages to a cellular phone.
Anti Spoof Alert Command
Specifies the command(s) to be executed when alert is specified for anti-spoofing
detection in the Net-work Interfaces section of the HOST PROPERTIES window.
Spoofing will normally be an attempt to trick the firewall to accept
a packet from one interface, and des-tined for another interface, where
the IP packet seems legitimate because of a faked sender IP ad-dress.
Attempts on using spoofed IP addresses should be detected by configuring
anti-spoofing for every interface in the firewall configuration (Firewall-1
object definition – Interfaces), and should be alerted if detected.
This value may contain an SNMP trap alert, or e-mail alert, or another
third-party application/solution.
User Authentication Alert Command
Specifies the command(s) to be executed when alert is specified for Authentication
failure track in the Control Properties/Authentication window. If a user
database is being managed and used in conjunc-tion with Firewall-1’s user
authentication abilities, this option should be properly configured to
give some kind of alarm, such as SNMP Traps, e-mail notification or third-party
applications/solutions.
IP Options Drop Track
IP packets containing data in the options field will always be dropped
(ie. ignored) by Firewall-1, but such packets should be logged, or also
generate an alarm.
This value should be set to ‘log’, or in a high-security environment
‘alert’.
Log established TCP Packets
Enables logging of TCP packets previously established, or packets whose
connections have timed out.
This option should be enabled.
Log ISAKMP negotiations
This option should be enabled.
This will enable logging of ISAKMP negotiations. By analyzing these
log events, it will be possible to do usage monitoring.
Log encryption kernel events
This option will enable logging of encryption events. This option may be
disabled, as we see no immediate danger of not logging legal encryption
events. This option may be enabled for debugging purposes, when troubleshooting
encryption installations.
Enable Active Connections (This option
has been removed from V4.x)
Enables live connections to be viewed from the Log Viewer for Firewall-1.
Represents no security risk. This option should be enabled.