Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Firewall</strong> and DPI<br />
Network Engine Mode<br />
The Client Plug-in‟s network engine can operate Inline or in Tap Mode. When operating Inline, the live<br />
packet stream passes through the network engine. Stateful tables are maintained, <strong>Firewall</strong> Rules are<br />
applied and traffic normalization is carried out so that DPI Rules can be applied to payload content. When<br />
operating in Tap Mode, the live packet stream is cloned and diverted from the main stream. In Tap Mode,<br />
the live packet stream is not modified; all operations are carried out on the cloned stream.<br />
<strong>Firewall</strong> Events<br />
You can set the maximum size of each individual log file and how many of the most recent files are kept.<br />
<strong>Firewall</strong> Event log files will be written to until they reach the maximum allowed size, at which point a new<br />
file will be created and written to until it reaches the maximum size and so on. Once the maximum<br />
number of files is reached, the oldest will be deleted before a new file is created.<br />
Maximum size of the event log files (on client plug-in): (see above)<br />
Number of event log files to retain (on client plug-in): (see above)<br />
Collect <strong>Firewall</strong> Events from Client Plug-in: Retrieve the latest <strong>Firewall</strong> Events from the<br />
Client Plug-in at every Heartbeat.<br />
Events are records of individual events. Counters are a record of the number of times individual<br />
events have occurred. Events are used to populate the "Events" screens. Counters are used to<br />
populate the Dashboard Widgets (number of <strong>Firewall</strong> Events over the last 7 days, etc.) and the<br />
Reports. You might want to collect only counters if, for example, you are using syslog for event<br />
collection; events can potentially take up a lot of disk space and you may not want to store the data<br />
twice.<br />
Do Not Record Events with Source IP of: This option is useful if you want IDF to not make<br />
record Events for traffic from certain trusted Computers.<br />
The following three settings let you fine tune Event aggregation. To save disk space, IDF Client<br />
Plug-ins will take multiple occurrences of identical events and aggregate them into a single entry and<br />
append a "repeat count", a "first occurrence" timestamp, and a "last occurrence" timestamp. To<br />
aggregate event entries, IDF Client Plug-ins need to cache the entries in memory while they are being<br />
aggregated before writing them to disk.<br />
Cache Size: Determines how many types of events to track at any given time. Setting a value of<br />
10 means that 10 types of events will be tracked (with a repeat count, first occurrence<br />
timestamp, and last occurrence timestamp). When a new type of event occurs, the oldest of the<br />
10 aggregated events will be flushed from the cache and written to disk.<br />
Cache Lifetime: Determines how long to keep a record in the cache before flushing it to disk. If<br />
this value is 10 minutes and nothing else causes the record to be flushed, any record that<br />
reaches an age of 10 minutes gets flushed to disk.<br />
Cache Staletime: Determines how long to keep a record whose repeat count has not been<br />
recently incremented. If Cache Lifetime is 10 minutes and Cache Staletime is two minutes, an<br />
event record which has gone two minutes without being incremented will be flushed and written<br />
to disk.<br />
The cache is always flushed whenever Events are sent to the IDF Server Plug-in.<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 59 -