[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Something to watch out for
Ryan Russell wrote:
>
> This confirmed what I was afraid of. If a "connection" is
> established, be it TCP or UDP (for those who don't
> know.. FW-1 imposes the concept of a session on
> UDP traffic internally) that connestion creates one
> log entry. It doesn't matter how many packets go
> though, it's still one log entry. It doesn't matter if that
> connection goes on for days... it's still only one log entry..
> as long as it doesn't stop for several minutes.
You can also check under "Active" connections in the log viewer. This
_should_ display any on-going session, and give you a date/time of when
the session was first established. In fact I usually do an
fwstop/fwstart if I notice the date/time stamp on some of the earliest
sessions are a bit old. This helps to prevent the type of activity you
described.
> So, the moral of the story is that if you have an internal
> machine that goes nuts and sends the same packet
> over and over again, and you're looking for it in your logs..
> You're not looking for hundreds of log entries, you're
> looking for one.. and you don't know how far back you
> need to look.
Very true!
Cheers,
Chris
--
**************************************
cbrenton@sover.net
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================