$SSHQGL[%&RQILJXUDWLRQIRU&RPPRQ&ULWHULD($/
,QVWDOOHU·V*XLGH %
When creating a policy, always make sure that counting and logging are
enabled. This ensures that all traffic matching the policy is logged appropriately.
When creating a policy, always use specific source IP, destination IP, source
zone, destination zone, protocol, and service when feasible. One example where
it may not make sense to be specific is for traffic destined for an external
network for general web access.
The following is an example of a valid policy:
set policy id 1 from trust to untrust 192.168.1.2
1.1.1.1 ftp permit count log
The above policy allows traffic from 192.168.1.2 to 1.1.1.1 for FTP traffic only,
with the Trust zone as the source and the Untrust zone as the destination, and
enables logging and counting.
• All traffic from an internal network to an external network must flow through
the NetScreen device. Setting up network connections that do not cross the
NetScreen device is not a secure setup and leaves the network susceptible to
intrusion attacks.
• The CLI is the only administration interface available in the evaluated
configuration of the NetScreen devices for Common Criteria EAL2.
• Currently, NetScreen devices are in evaluation for Common Criteria EAL2. This
certification is for NetScreen devices to be deployed in environments where the
threat of malicious attacks aimed at discovering exploitable vulnerabilities is
considered low.
67$57,1*67233,1*$1'5(9,(:,1*$8',7/2*6
The NetScreen device automatically logs the starting and stopping of audit logs. Each
time the device boots up, message logging automatically begins (see the Traffic Log
messages section in the Messages Log). Upon initial bootup, the message system is
operational indicates that all message logging has started. The command get log
setting shows the current state of the logging settings.
To enable or disable any of the eight message logging states, the administrator must issue
one of the following commands:
set log module system level level-name dest syslog
unset log module system level level-name dest syslog
where level-name is one of the following:
• emergency
• alert
• critical
• error
• warning
• notification
• information
• debugging
To Next Page
Loading...
Need help?
General
