Logging & Monitoring of ACL rules
After couple attempts at truly isolating my VLANs resulted in locking myself out of my network, I'm looking into giving it another shot.
Troubleshooting such failures is limited to disabling deny rules.
I don't even know how reliable that is because the time it takes for rule changes to be picked up is not clear.
I expecting to find some setting allow me to log which rules fired (especially deny rules).
I didn't find anything like this in the Controller interface.
While looking for something else, I stumbled on this in the Controller User Guide REV 5.12, specifically in the Gateway ACL section:
My OC200 features Controller Version: 5.13.30.20. The Help Center mentions the same capability.
Yet the Log option is still nowhere to be found in the actual screen.
Just in case the remote logging is a pre-requisite, I tipped up a syslog server on my media center and pointed my OC to it (on that note, it'd be nice to know whether devices where going to use UDP or TCP for syslog). I verified it worked by logging off and back on.
No changes in the Gateway ACL screen though... Still no Log option.
Is my gateway (ER605 v1 with FW 1.3.1) not supporting this feature? Is this the reason why I don't see this option?
EricPerl wrote
After couple attempts at truly isolating my VLANs resulted in locking myself out of my network, I'm looking into giving it another shot.
Troubleshooting such failures is limited to disabling deny rules.
I don't even know how reliable that is because the time it takes for rule changes to be picked up is not clear.
I expecting to find some setting allow me to log which rules fired (especially deny rules).
I didn't find anything like this in the Controller interface.
While looking for something else, I stumbled on this in the Controller User Guide REV 5.12, specifically in the Gateway ACL section:
My OC200 features Controller Version: 5.13.30.20. The Help Center mentions the same capability.
Yet the Log option is still nowhere to be found in the actual screen.
Just in case the remote logging is a pre-requisite, I tipped up a syslog server on my media center and pointed my OC to it (on that note, it'd be nice to know whether devices where going to use UDP or TCP for syslog). I verified it worked by logging off and back on.
No changes in the Gateway ACL screen though... Still no Log option.
Is my gateway (ER605 v1 with FW 1.3.1) not supporting this feature? Is this the reason why I don't see this option?
Hi @EricPerl
You need to enable the remote logging function if you want to use this function. But the Remote Logging is only available on the MSP mode. In MSP View, go to Settings > MSP Settings, and go to Services, enable Remote Logging,
Or may I know more details about your request? For example, what is your network topology and what kind of scenario you would like to achieve?
Hi @Hank21 ,
I'm even more confused now.
On my OC200 V2 with Controller Version 5.13.30.20, I found couple places where I could enable Remote Logging.
The first one was in the Controller Settings in Global View (Services frame).
The second one was in Site Settings for my only site (Services frames as well).
The pic I pasted in my original post is from the Gateway ACL section (page 104), nowhere near the MSP stuff.
[Edit: The Help Center for Settings->Site Settings-> Network Security->ACL->Gateway ACL has this bit too
]
My OC200 does not expose that MSP option and that seems quite involved anyway...
My topology is quite simple.
I have the following devices (indentation represents what's plugged into what):
ER605 V1
TL-SG2008P V1
OC200 V1
TL-SG2008 V3
EAP245 V3
I'm fairly constrained on the physical wired network by the wiring of my house (every room wired to a comm panel).
I have all devices near the comm panel, apart from the second switch that's in a room with a bunch of equipment (printer, PC, media & gaming stuff).
I have another with multiple devices but they all fit in the same category so an dumb switch is fine there.
My goal is to achieve some form of isolation between clients of various trustworthiness (Network, Productivity, Alarm, Fun, IoT).
Since my physical topology doesn't allow clean isolation, I'm doing it using VLANs.
The VLAN setup was easy enough, but given the built-in inter-VLAN routing, that only buys me a hurdle to discovery (and maybe some perf).
So I played with ACLs once and got burned. I'm giving it another go.
The absence of logging makes things more difficult.
- If I make a mistake while setting up my ACLs, logging would help pointing me at the offending rule while I test main use cases.
- I might have a device on my network that's hacked, e.g. an IoT device trying to access my PCs, and while an ACL might protect me, I have almost no way to discover the compromise and repair or discard the hacked device.
- I also fear there's some use case that's not core and that I won't verify right away could be broken. A log entry might alert me preemptively (hmm, this client is trying to communicate to that client, maybe that's legit and I can do some additional research).