ER605 System Log
The system log, by default, does not seem to record Firewall intrusion attempts such as an incoming connection being dropped.
How does one configure the system log to record these events ?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @MisterW
Thanks for posting in our business forum.
Assuming you are using the controller, if you are referring to the IDS/IPS, you should check it in Threat Management. Insight > Threat Management.
I don't think the system log should not be mixed with the IDS/IPS. The log itself already has many event/alert options.
If you mean Firewall and Attack Defense, they have matching options in the Log.
- Copy Link
- Report Inappropriate Content
Thanks for the reply.
Assuming you are using the controller,
No, I'm running in standalone mode.
I have all of the options checked in the Firewall Attack Defense, apart from Block TCP scan with RST & Block large ping.
I have the system log set to Severity , All Level
If I attempt to make an incoming connection from the internet , say something like a VNC remote access on port 5500, the connection is obviously blocked by the Firewall, since there is no Virtual server defined in my router for VNC. However there is nothing showing in the log regarding the blocked connection. I would have expected that something as basic as the blocked connection attempt would be logged together with information as to where (IP) the connection attempt was made. Every other router I've used shows this basic information in its event log
- Copy Link
- Report Inappropriate Content
Hi @MisterW
Thanks for posting in our business forum.
MisterW wrote
Thanks for the reply.
Assuming you are using the controller,
No, I'm running in standalone mode.
I have all of the options checked in the Firewall Attack Defense, apart from Block TCP scan with RST & Block large ping.
I have the system log set to Severity , All Level
If I attempt to make an incoming connection from the internet , say something like a VNC remote access on port 5500, the connection is obviously blocked by the Firewall, since there is no Virtual server defined in my router for VNC. However there is nothing showing in the log regarding the blocked connection. I would have expected that something as basic as the blocked connection attempt would be logged together with information as to where (IP) the connection attempt was made. Every other router I've used shows this basic information in its event log
Nope. This is not correct.
First, if the port is not open, when someone accesses it, it does not mean it's an RST. If you wanna test this, use Nmap. Not VNC remote.
Second, the log does not record such a common access denial. It does not represent anything at all. Why would it considered a threat? This is normal in TCP/IP. If the router records this, then you should spend much more time reviewing the logs and the list should be thousands in a day.
If you have trouble with this part, you can search it on Youtube and check some common ways to start an attack and see if the router records.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 652
Replies: 3
Voters 0
No one has voted for it yet.