> Hi guys,


as well as those of us who are *not* guys, i hope ;-)

> At a minimum I think we should be logging and analyzing: date/time,
> interface(s), src/dst IP, src/dst port, proto, allow/deny,
> rule applied
> (, other?). Does that seem right? What about SYN/ACK and so on?


here's one point to consider. it sounds like you're focussing only on the
logs of network traffic in the vicinity of your PIX. but keep in mind that
if it's correctly configured to allow only the traffic required by your
business requirements, then the traffic logs aren't particularly
interesting, or at least aren't obviously the best place to start.

i'm always more interested in capturing logs of administrative activity on
my firewall (in particular, changes to the access control configuration);
login attempts on the firewall; unexpected reboots etc.

you might be interested in the firewall logging doc that i compiled and
co-wrote, with heaps of assistance from chris brenton and a couple of other
folks. brian ford .... oh brian ford ... where's my PIX contribution???

http://www.loganalysis.org/sections/...ic/firewall-lo
gging.html

(beware the evil line wrap)

cheers - tbird

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/li...rewall-wizards