Creating rules from the log

You can create rules for denied access attempts directly from the alert and system logs. The alert log (Monitoring & Statistics > Logs > Alert Log) is preferred, since you can filter directly for Connection Blocked entries.

To use this functionality, the firewall must be configured accordingly:

  1. Under Monitoring & Statistics > Settings, the setting for Blocked Forwarded Traffic has to be set to Save Raw Data Locally in order for the firewall to access the necessary data.
  2. An Internet connection has to be defined if there is no data traffic between internal networks on different interfaces of the firewall.

As soon as data traffic is blocked, entries of the "Connection Blocked" category should appear in the alert log.

On the right-hand side of each of these entries, the user can use the action menu to Create a new rule. A new dialog is then displayed where you can define a rule (with fewer options that the Connection dialog).

Range / input field Description
Log information Information about the selected entry is listed here. Example: Data should be sent from a host (192.168.3.3) on the internal network via the interface "eth3" using "ICMP" and sent to the destination 192.168.5.5.
Service In the "Service" section, the user can decide whether to use a predefined or custom service or to create a new custom service. The only services to be displayed relate to the port and protocol corresponding to the blocked access. This example is ICMP with (port 0/No port) and the ICMP protocol. The newly created service takes on the same port and protocol settings. A user-defined name can be entered.
Source, Action and Destination Any missing data for creating the desktop connection must be entered in the lower area. Here, too, you decide whether the source and destination are existing desktop objects, or whether new desktop objects should be created. It is also possible to connect a new object to an existing one. The available desktop objects include all Internet objects and desktop objects with a matching IP address and interface. This can also apply to VPN desktop objects. Any available desktop object that is selected by default is the one that most closely matches the interface and the IP address. In our example, a host object with 192.168.3.3 and eth3 takes priority over a network object with 192.168.3.0/24. If there is no suitable desktop object for selection, an Internet object is used instead. If you want to create a new desktop object, you are limited to one host or network object to make creating a rule quick and easy. The interface and the IP address are preselected according to the blocked entry. All you have to enter is a name. For the interface you can, if necessary, choose from any of the available interfaces without restriction. The address must either match the blocked access attempt or at least be from a network that contains its IP address, e.g. 192.168.3.0/24, 192.168.0.0/16. Depending on the selected address, a host or a network object is created. After selecting the source and destination you can still, if necessary, change the type of access or the NAT by clicking on the corresponding icons, similar to the rules for a desktop connection. Typically, the access should be source-to-destination or two-way. As NAT is usually used to access an Internet address, NAT is always preselected in the direction of the Internet object. If no Internet object is selected, NAT is deactivated by default.

After the rule is created, you can use the Log dialog to create further rules or you can close the dialog. If you have created new rules, you will be asked to activate the rules after closing the Log dialog.

www.lancom-systems.com

LANCOM Systems GmbH | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E-Mail info@lancom.de

LANCOM Logo