RE: Netscreen email logging

["Philip J. Koenig" <pjklist () ekahuna com>]

OK, I have traffic logs and alerts working now - here are the current
findings:

1) Steve's suggestion below ("set firewall log-self") may have been
the turning point, surely it's good to see what packets were dropped
whose destination address was the firewall itself, in any case.

2) The Netscreen is now sending logs.  There are 2 significant
revelations:

    A) The documentation says it will send traffic logs every 24 hours,
    or when the log fills up.  As it turns out, it does *not* send logs
    every 24 hours, I have only seen them when the log fills up. (all
    this is under ScreenOS 3.03r3)

    B) The Netscreen buffers alarms for 10 minutes, ie if you get a new
    alarm 2 minutes after the first, it will buffer that alarm and send
    it with a batch 10 minutes after the last alarm. (this is not in the
    documentation)

3) It's critical that you have a manually-entered static-route for
any host or network that you plan to send management traffic either
to or from the Netscreen, EVEN IF this host or network is connected
directly to one of the Netscreen's interfaces. (however this was not
my current problem, it had already been done on this box)

I don't know why Bruce gets traffic reports but no alarms.  My only
guess is either A) he doesn't have a proper policy setup with alarms
enabled. (or it's configured but all relevant traffic is matching a
policy 'higher up' in the list and never becoming associated with the
policy which has alarms configured) or B) the configuration command
"set admin mail alert" has not been set.

I hope the summary above comes in handy for some of you, and thanks
for all your suggestions.

Phil



On 28 Sep 2002 at 16:07, Clark, Steve boldly uttered:


> Make sure you have checked Log Packets to Self that are dropped. You will
> start to see the alert email.
>
> Steve Clark
> Clark Systems Support, LLC
> AVIEN Charter Member
> "Who's watching your network?"
> www.clarksupport.com
>           301-610-9584 voice
>           240-465-0323 Efax
>
> Your Referral Resource
>
> The data furnished in connection with this document is deemed by  Clark
> Systems Support, LLC., to contain proprietary and privileged information and
> shall not be disclosed or used for the benefit of others without the prior
> written permission of Clark Systems Support, LLC.
>
>
> -----Original Message-----
> From: Bruce Platt [mailto:Bruce () ei3 com]
> Sent: Saturday, September 28, 2002 8:25 AM
> To: 'pjklist () ekahuna com'
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Netscreen email logging
>
> Philip,
>
> I can't find your original message, but I think you were after an answer as
> to why you don't get alert messages, such as those in the event logs mailed
> to you, while getting traffic logs mailed.
>
> I don't either, though my NSs are configured for it, and I get lots of
> traffic mail.
>
> You might want to ask the folks at www.netscreenforum.com.  It's a forum
> rather than a mailing list and inhabited by some very knowledgable folks.
>
> I have the same question on my list of things to figure out when I get time.
> I was planning on posing the question there.
>
> Regards
>
> -----Original Message-----
> From: Philip J. Koenig [mailto:pjklist () ekahuna com]
> Sent: Friday, September 27, 2002 2:37 PM
> To: Juhani Lahti
> Cc: firewall-wizards () honor icsalabs com
> Subject: RE: [fw-wiz] Netscreen email logging
>
>
> On 27 Sep 2002 at 15:43, Juhani Lahti boldly uttered:
>
> > I have 5XP and get logs and alerts. In the begining(when you are just
> > installed your NetScreen) NetScreen doesn't send any logs to you , I don't
> > know why.
> > I got my first logs about two days after installation.
> >
> > Remember enable logging, when you create security policies.
>
> Yes logging is enabled - ie various policies have "permit log count"
> or "deny log count" at the end. (I configure primarily via CLI)
>
> In the case of the 5XP, it has been sitting there for months without
> sending logs.
>
> Thanks for your suggestions.
>
> Phil
>
>
>
> > > -----Original Message-----
> > > From:     Philip J. Koenig [SMTP:pjklist () ekahuna com]
> > > Sent:     27. syyskuuta 2002 06:07
> > > To:       firewall-wizards () nfr com
> > > Subject:  [fw-wiz] Netscreen email logging
> > >
> > > I have tried to get email alerts and logs working with 2 different
> > > Netscreen boxes (5XP Elite and 25) with no success.  Everything else
> > > pretty much works as expected except this.  I have asked Netscreen
> > > support about it more than once and get the equivalent of a shrug
> > > from them.
> > >
> > > Is there some secret to this I'm missing?  Here are the relevant
> > > entries from the configuration file:
> > >
> > > set admin mail alert
> > > set admin mail traffic-log
> > > set admin mail server-name <hostname or IP>
> > > set admin mail mail-addr1 <email address>
> > >
> > >
> > > I've finally gotten used to their idiosyncracy of needing a manual
> > > route entry for any network that receives or sends to the firewall
> > > itself, so this isn't the problem.
> > >
> > > Ideas greatly appreciated!
> > >
> > > Phil


--
Philip J. Koenig                                       pjklist () ekahuna com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards