How to Configure Security Policies to Allow Logs
Figure 7-7 shows the typical networking diagram of log traffic. Generally, devices such as routers, switches, and servers use UDP port 514 to send syslogs to the log host. If logs pass through the firewall, you need to configure security policies on the firewall for log traffic.
The firewall supports logs of multiple types. Security policies are not required for some logs when the logs are output to the log server. Table 7-11 lists the relationship between log types and security policies.
Log Type |
Log Format and Default Port |
Require Security Policy |
|---|---|---|
Session log |
Binary (UDP: 9902) NetFlow (UDP: 9996) Syslog (UDP: 514) |
No |
Packet loss log |
Binary (UDP: 9902) Syslog (UDP: 514) |
No |
Port pre-allocation log |
Syslog (UDP: 514) |
Yes |
System log |
Syslog (UDP: 514) |
Yes |
Service log |
Syslog (UDP: 514) |
Security policies need to be configured for policy matching logs, but do not need to be configured for other service logs. |
Dataflow (UDP: 9903) |
No |
Table 7-12 describes the configuration for security policies. Select the security policy based on the service to access.
No. |
Name |
Source Security Zone |
Destination Security Zone |
Source Address/Region |
Destination Address/Region |
Service |
Action |
|---|---|---|---|---|---|---|---|
101 |
Allow transmit log to Log Server |
Trust |
DMZ |
10.1.1.0/24 |
10.1.2.10/32 |
syslog (UDP: 514) |
permit |
102 |
Allow outbound log to Log Server |
Local |
DMZ |
any |
10.1.2.10/32 |
syslog (UDP: 514) binary (UDP: 9902) dataflow (UDP: 9903) netflow (UDP: 9996) |
permit |