Log and Alert

  1. When does the Prestige generate the firewall log?
  2. What does the log show to us?
  3. How do I view the firewall log?
  4. When does the Prestige generate the firewall alert?
  5. What does the alert show to us?
  6. What is the difference between the log and alert?

1. When does the Prestige generate the firewall log?

The Prestige generates the log immediately when the packet match, doesn't match (or both) a firewall rule. The log for Default Permit (LAN to WAN, WAN to LAN) is generated automatically. To generate the log for custom rules, the Log option in Web Configurator must be set to Not Match, Match, or Both. The Reason column for the default permit shown in the log will be 'default permit, <1, 00> or <2, 00>'.  Here <1, 00> means the LAN-to-WAN default ACL set, <2, 00> means the WAN-to-LAN default ACL set.

2. What does the log show to us?

The log supports up to 128 entries. There are 2 rows and 5 columns for each entry. Please see the example shown below.

#  Time      Packet Information                   Reason          Action

127|Mar 15 0 |From:192.168.1.34 To:202.132.155.93 |default permit |forward
   | 03:03:54|ICMP    type:00008    code:00000    |<1,00>         |

Where <X,Y> stands for <Set number, Rule number>. X=1,2 ; Y=00~10. There are two policy sets, set 1 for rules checking connections from LAN to WAN and set 2 for rules checking connections from WAN to LAN. So, X=1 means set 1 and X=2 means set 2.

Y means the rule in the set. Because we can configure up to 10 rules in a set, so Y can be from 1 to 10. If the rule number shows 00, it means the Default Rule.

3. How do I view the firewall log?

The log keeps 128 entries, the new entries will overwrite the old entries when the log has over 128 entries.

There are three ways to view the firewall log:

  1. View the log from SMT Menu 21.3-View Firewall Log
  2. View the log using CI command-sys firewall display
  3. View the log from Web Configurator

4. When does the Prestige generate the firewall alert?

The Prestige generates the alert when an attack is detected by the firewall and sends it via Email. So, to send the alert you must configure the mail server and Email address using Web Configurator. You can also specify how frequently you want to receive the alert via Web Configurator.  

5. What does the alert show to us?

The alert shown in the Email is actually the evens of the attack. So, the Reason column shows Attack and the attack type. Please see the example shown below.

#  Time      Packet Information                 Reason   Action

127|Mar 15 0 |From:192.168.1.1 To:192.168.1.1  |attack  |block
   | 03:04:54|ICMP    type:00008    code:00000 |land    |

6. What is the difference between the log and alert?

A log entry is just added to the log inside the Prestige and e-mailed together with all other log entries at the scheduled time as configured. An alert is e-mailed immediately after an attacked is detected.


All contents copyright (c) 2000 ZyXEL Communications Corporation.