111BIG-IQ®Security: Administration

Description Network Firewall Security - Network Firewall

drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor

Specify.

• Reject Specifies, when enabled, that the system logs packets that match ACL

rules configured withaction = Reject. When enabled, you can specify a rate limit for all network firewall log messages with this action. If this rate limit is exceeded, log messages of this action type are not logged until the threshold drops below the specified rate. You can pecify a Rate Limit value of Indefiniteor

Specify.

Specifies, when enabled, that the system logs IP error packets. When enabled, you can specify a rate limit for all network firewall log messages of this type. If this

Log IP Errors

rate limit is exceeded, log messages of this type are not logged until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite, which means the rate limit is set to the maximum of 4294967295, or you can select

Specify and specify an integer between 0 and 4294967295 that represents the number

of messages per second.

Specifies, when enabled, that the system logs TCP error packets. If this rate limit is exceeded, log messages of this type are not logged until the threshold drops below

Log TCP Errors

the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.

Specifies, when enabled, that the system logs TCP events (open and close of TCP sessions). If this rate limit is exceeded, log messages of this type are not logged

Log TCP Events

until the threshold drops below the specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.

Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.

Log Translation Fields

Specifies, when enabled, that the geographic location should be logged when a geolocation event causes a network firewall event.

Always Log Region

Specifies the format type for log messages. You can configure the following options:

Storage Format

• None Specifies that the system uses the default format type to log the messages

to a Remote Syslog server. This is the default setting.

• Field-List Specifies that the system uses a set of fields, set in a specific order,

to log messages. When Field-List is selected, specify the field list as follows. • Specify the delimiter string in the Delimiter field. The default delimiter is

the comma character (,).

Note: You may not use the $ character because it reserved for internal usage.

• Select the fields to use. Unused fields are in the Available list, selected fields are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

112

Description Network Firewall Security - Network Firewall

• User-Defined Specifies that the format the system uses to log messages is in

the form of a user-defined string. Select the items for the server to log. Unused items are in the Available list, selected items are in the Selected list. Use the Move arrow buttons to transfer the selected items between the lists.

In the Network Firewall Security IP Intelligence section, you configure where IP intelligence events are logged. If the IP intelligence feature is enabled and licensed, you can configure the system to log source IP addresses that match an IP intelligence blacklist or whitelist category, as determined by the database of preconfigured categories, or as determined from an IP intelligence feed list.

Description Network

Firewall Security - IP Intelligence

Specifies the name of the log publisher used for logging IP address intelligence events. Select a log publisher configured in your system.

Publisher

Defines a rate limit for all combined IP intelligence log messages per second. Beyond this rate limit, log messages are not logged until the threshold drops below the

Aggregate Rate Limit

specified rate. You can select a Rate Limit value of Indefinite which means the rate limit is set to the maximum of 4294967295, or you can select Specify and specify an integer between 0 and 4294967295 that represents the number of messages per second.

Specifies, when enabled, that translation values are logged if and when a network firewall event is logged.

Log Translation Fields

In the Network Firewall Security Traffic Statistics section, you configure logging of traffic statistics.

Description Network

Firewall Security - Traffic Statistics

Specifies the name of the log publisher used for logging traffic statistics. Select a log publisher configured in your system.

Publisher

Log Timer Events

• Active Flows - When enabled, logs the number of active flows each second.

• Reaped Flows - When enabled, logs the number of reaped flows, or connections

that are not established because of system resource usage levels.

• Missed Flows - When enabled, logs the number of packets that were dropped

because of a flow table miss. A flow table miss occurs when a TCP non-SYN packet does not match an existing flow.

• SYN Cookie (Per Session Challenge) - When enabled, logs the number of

SYN cookie challenges generated each second.

• SYN Cookie (White-listed Clients) - When enabled, logs the number of

whitelisted SYN cookie clients each second.

In the DoS Protection sections, you configure where DoS events are logged.

113