logging firewall rules

michmoor · Jul 30, 2024, 2:46 PM

Hello everyone
Looking for some advice/general guidance regarding logging firewall rules. My day time activity as a network engineer for a Fintech company has me managing firewalls and we log everything. Allowed and denied rules doesn't matter. I get it from a compliance standpoint but i made maybe the mistake of doing the same thing at home. I have a fair amount of rules per interface and everything gets logged to my external syslog server but of course this puts considerable writes on my SSD on my SG6100. I have since disabled all logging on traffic that's permitted and only log my rejects/blocks. I typically use the logging data for traffic analysis i play around with at home that feeds into my external Suricata engine. On some rare cases having everything logged helped me spot a misconfiguration (why was a dmz host talking to a privileged host?)

None the less, what do you folks do for firewall logging? Leave it off? Leave it on?

stephenw10 · Jul 30, 2024, 3:08 PM

If it's an SSD I wouldn't worry about it. The write endurance of anything recent is pretty good.

On a 6100 you probably have RAM to spare so you could put /var on a RAM drive. You won't lose anything if you're also exporting to syslog.

michmoor · Jul 30, 2024, 4:15 PM

@stephenw10 From your perspective, curious, do you see clients logging everything or nothing or somewhere in between?

stephenw10 · Jul 30, 2024, 5:30 PM

Mostly the default values, so logging everything that's blocked by the default rule only. It's very variable though, depends how it's being used. It's common to see logging enabled on some pass rules for review purposes or testing.

michmoor · Jul 30, 2024, 6:12 PM

@stephenw10 ah ok. so depends really on what you want to do and/or see.
Makes sense.

Thank you!