AG/NIS/NPF has logging capability for the following:

• Content Blocking
• Connections
• Firewall
• Intrusion Detection (NIS v4.5+)
• Privacy
• Restrictions (NIS only)
• System
• Web History
• Alerts

A new look for the logs in NIS/NPF2003 now called Log Viewer.

---

NIS/NPF2003 Firewall Event Log entry:
TCP non-syn/non-ack packet on invalid connection. Packet has been dropped.

---

Analyzing the Firewall Log

Filtering "Blocked Inbound" packet entries.

One consideration before any interpretation of the firewall log is done would be to filter out the trivial entries. This would include things such as internet noise, broadcasts, packets part of an established connection arriving late and being blocked, etc.

To help identify and filter these types of packets, one place to look in the log is the "Remote Service" (as called in NIS) or "Remote Port" (as called in Log Viewer). Entries with "Remote Service" or "Remote Port" of common services (HTTP, DNS, NNTP, etc.) are likely packets arriving late (for any number of reasons) and being blocked by the firewall.

Common "Remote Service" or "Remote Port" entries that should be looked at and could be deleted prior to interpretation are: 25 (SMTP), 37 (Time), 43 (Nicname), 53 (DNS), 68 (Bootp), 80 (HTTP), 110 (POP3), 119 (NNTP), 123 (NTP), 137-139 (Netbios) *optional/user preference, 443 (HTTPS).

When it comes to interpretating and analyzing firewall logs, utilities such as Log Viewer are indispensable. The filtering and statistical capabilities make this alot simpler than trying to work with the native NIS logs.

CrazyM

---

Contributors: CrazyM

Last updated: 2003-04-25