05.08.2013 Views

Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...

Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...

Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...

SHOW MORE
SHOW LESS

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

Log packets that are "Out of Allowed Policy": Select whether you wish to log packets that<br />

are dropped because they have not been specifically permitted by an Allow rule or <strong>Firewall</strong> Rule.<br />

(Note that turning this option on can significantly increase the size of your log files.)<br />

DPI Events<br />

You can set the maximum size of each individual log file and how many of the most recent files are kept.<br />

DPI Event log files will be written to until they reach the maximum allowed size, at which point a new file<br />

will be created and written to until it reaches the maximum size and so on. Once the maximum number of<br />

files is reached, the oldest will be deleted before a new file is created. DPI Event log entries usually<br />

average around 200 bytes in size and so a 4MB log file will hold about 20,000 log entries. How quickly<br />

your log files fill up depends on the number of DPI Rules in place.<br />

Maximum size of the event log files (on client plug-in): (see above)<br />

Number of event log files to retain (on client plug-in): (see above)<br />

Collect DPI Events from Client Plug-in: Retrieve the latest DPI logs from the Client Plug-in at<br />

every Heartbeat.<br />

Do Not Record Events with Source IP of: This option is useful if you want IDF to not make log<br />

entries for traffic from certain trusted Computers.<br />

The following three settings let you fine tune Event aggregation. To save disk space, IDF Client<br />

Plug-ins will take multiple occurrences of identical events and aggregate them into a single entry and<br />

append a "repeat count", a "first occurrence" timestamp, and a "last occurrence" timestamp. To<br />

aggregate event entries, IDF Client Plug-ins need to cache the entries in memory while they are being<br />

aggregated before writing them to disk.<br />

Cache Size: Determines how many types of events to track at any given time. Setting a value of<br />

10 means that 10 types of events will be tracked (with a repeat count, first occurrence<br />

timestamp, and last occurrence timestamp). When a new type of event occurs, the oldest of the<br />

10 aggregated events will be flushed from the cache and written to disk.<br />

Cache Lifetime: Determines how long to keep a record in the cache before flushing it to disk. If<br />

this value is 10 minutes and nothing else causes the record to be flushed, any record that<br />

reaches an age of 10 minutes gets flushed to disk.<br />

Cache Staletime: Determines how long to keep a record whose repeat count has not been<br />

recently incremented. If Cache Lifetime is 10 minutes and Cache Staletime is two minutes, an<br />

event record which has gone two minutes without being incremented will be flushed and written<br />

to disk.<br />

The cache is always flushed whenever Events are sent to the IDF Server Plug-in<br />

Advanced<br />

Allow DPI Rules to capture data for the first hit of each rule (in period): Keep the data<br />

from the packet that triggered a log entry. (The packet's data can be viewed with the log entry.<br />

Each rule will only capture data once in a five second period to avoid unduly large log files.)<br />

Use Custom Driver Settings<br />

CLOSED timeout: For gateway use. When a gateway passes on a "hard close" (RST), the side of<br />

the gateway that received the RST will keep the connection alive for this amount of time before<br />

closing it.<br />

SYN_SENT Timeout: How long to stay in the SYN-SENT state before closing the connection.<br />

SYN_RCVD Timeout: How long to stay in the SYN_RCVD state before closing the connection.<br />

FIN_WAIT1 Timeout: How long to stay in the FIN-WAIT1 state before closing the connection.<br />

© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />

All rights reserved. - 60 -

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!