Hi @MisterW

Thanks for posting in our business forum.

Assuming you are using the controller, if you are referring to the IDS/IPS, you should check it in Threat Management. Insight > Threat Management.

I don't think the system log should not be mixed with the IDS/IPS. The log itself already has many event/alert options.

If you mean Firewall and Attack Defense, they have matching options in the Log.

Hi @MisterW 

Thanks for posting in our business forum.

MisterW wrote

  @Clive_A 

Thanks for the reply.

 

Assuming you are using the controller,

No, I'm running in standalone mode.

 

I have all of the options checked in the Firewall Attack Defense, apart from Block TCP scan with RST & Block large ping.

I have the system log set  to Severity , All Level

 

If I attempt to make an incoming connection from the internet , say something like a VNC remote access on port 5500, the connection is obviously blocked by the Firewall, since there is no Virtual server defined in my router for VNC. However there is nothing showing in the log regarding the blocked connection. I would have expected that something as basic as the blocked connection attempt would be logged together with information as to where (IP) the connection attempt was made. Every other router I've used shows this basic information in its event log

Nope. This is not correct.

First, if the port is not open, when someone accesses it, it does not mean it's an RST. If you wanna test this, use Nmap. Not VNC remote.

Second, the log does not record such a common access denial. It does not represent anything at all. Why would it considered a threat? This is normal in TCP/IP. If the router records this, then you should spend much more time reviewing the logs and the list should be thousands in a day.

If you have trouble with this part, you can search it on Youtube and check some common ways to start an attack and see if the router records.