Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    logging firewall rules

    Scheduled Pinned Locked Moved
    General pfSense Questions
    2
    5
    80
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance
      last edited by

      Hello everyone
      Looking for some advice/general guidance regarding logging firewall rules. My day time activity as a network engineer for a Fintech company has me managing firewalls and we log everything. Allowed and denied rules doesn't matter. I get it from a compliance standpoint but i made maybe the mistake of doing the same thing at home. I have a fair amount of rules per interface and everything gets logged to my external syslog server but of course this puts considerable writes on my SSD on my SG6100. I have since disabled all logging on traffic that's permitted and only log my rejects/blocks. I typically use the logging data for traffic analysis i play around with at home that feeds into my external Suricata engine. On some rare cases having everything logged helped me spot a misconfiguration (why was a dmz host talking to a privileged host?)

      None the less, what do you folks do for firewall logging? Leave it off? Leave it on?

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        If it's an SSD I wouldn't worry about it. The write endurance of anything recent is pretty good.

        On a 6100 you probably have RAM to spare so you could put /var on a RAM drive. You won't lose anything if you're also exporting to syslog.

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @stephenw10
          last edited by

          @stephenw10 From your perspective, curious, do you see clients logging everything or nothing or somewhere in between?

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Mostly the default values, so logging everything that's blocked by the default rule only. It's very variable though, depends how it's being used. It's common to see logging enabled on some pass rules for review purposes or testing.

            M 1 Reply Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @stephenw10
              last edited by

              @stephenw10 ah ok. so depends really on what you want to do and/or see.
              Makes sense.

              Thank you!

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              1 Reply Last reply Reply Quote 0
              • First post
                Last post