Firewall Log Reviewing, IP List, Tracking Trends, Bandwidth, etc on your network
I'll start off with a quick note, question and short lecture.
Note: Firewalls that will log just about everything you need start at about $75.00 and are really nice.
Question: Do you log active connections to your network from external sources?
Lecture: "Head in the Sand" chapter 9, while you check your email in the morning browse over to your firewall log server or firewall and login. http://192.168.1.1/. Take a quick glance at the log, scroll down as fast as you can down your first cup of coffee. Do you see anything that stands out? (I’m not worried about 40 IP attacks look for something that really stands out.)
Keeping a good list of IP addresses of those that just haven't learned to play nicely online is a good thing. I'll start showing you how I keep logs and how I trend select networks. Then after that it's your choice to allow or deny. It's not a question of "I need access from anywhere." When you lock down your VPN to your Country or maybe you're like me and block everything that’s not on my phones network and cable network.Why would I allow IP connections from a telephone company that I don’t use? It is my VPN (virtual Private Network) why share it?
With that said I'll start off with my morning coffee and review my firewall and router logs.
Everything looks fine, wait a minute, normal upload and download traffic seems to spike just about 8:30AM. Was someone watching 120 channels of HD movies? It was full bandwidth of the network.
It lasted under a minute. Let's see, 54.84MB per second data transfer rate, 4,112MB total transfer. It was logged at 8:40pm.
Did they get my SQL database? My downloads? 4.1Gb of data is like one of my DVD ISO images. I wonder if it was a single download or a hundreds of files in a folder download.
The fact is, a connection was made that seriously taxed the system for a few minutes downloading something. Could have been a spider bot or something but now that we have identified unusual traffic we have to make a choice between.
- 1. Put our head in the sand and get a donut with your second cup of coffee.
- 2. Log the event on paper and start researching what connections where made between 08:40 and 08:50 on your network.
I'll pick number 2 and a second cup of coffee now.
I've exported the report in PDF (Thanks to WatchGuards Log Manager)
Running report: Source by Bandwidth On-Demand Reports selected time edited to show only 08:30 to 09:00. In the XTM series you can edit to the minute which really speeds up reporting.
Now I've generated my report slice of the time period I selected I can start looking to see just who the bandwidth hog is.
Next, Web Activity report shows the spike was at 08:40:45 but the overall bandwidth was steady for about 10 minutes. It's all coming clear now and I can go back to my coffee.
It was Google Bot indexing the IIS server and doing a good job of it. Not only did it index it made sure it consumed about 4Gb of data in less than 10 minutes. For some that might be an issue but for others it's a "Love to see you" and "Hate how you slow things down" but "Nice having you index us again!"
In my case I'll set the bot to slow down a bit in the Webmaster tools. But it's not of any concern now that I know who, what and when things happened on the network.
I'll do a video the next reporting day to show you just how fast and easy it is. I'll use the WatchGuard XTM one day and then a simple Netgear router that allot of home and small business users have. The Netgear doesn't do the reports the same but you can trend by connections and using one of the workbooks I have posted online you can see who’s who at a glance with some lookups.
Have a good Log Reading Morning!
Thursday Oct 27 2011
How to read logs Netgear ProSafe VPN Firewall FVS318v3 and other similar devices. Many of us have not had to read or understand the log reports created by our VPN appliances. In today's world we need to know what our VPN is telling us. I have an example of one log on a system that was online for only a few days.