Symantec™ Security Gateways Reference Guide - Sawmill

Chapter 8Monitoring security gateway trafficThis chapter includes the following topics:■■■■■■■Active connectionsView logsSESA event gatingReports setupConfiguration reportsNotificationsAdvanced optionsActive connectionsCurrent and recently finished connections are monitored through the Active Connections window. Thiswindow provides general information on all active connections, including the type of connection, thesource and destination IP address, the time the connection started, the time the connection finished (ifapplicable), and the rule that allowed the connection. This window also shows all blacklisted hosts. Viewingthe properties of a connection shows the source and destination ports, and the source and destinationinterfaces.In addition to viewing connections, the Active Connections window lets you kill undesired connections.Killing a normal session immediately terminates that connection. Killing a blacklisted host entry lets thatIP address once again attempt to connect to the security gateway.Note: Killing a connection does not prevent that connection from coming back. To effectively prevent aconnection from reestablishing, you should first create a new or modify an existing rule to deny theconnection before killing it.View logsLog files maintain a record of all activity to or through the security gateway. You can search and filter logfiles to display only pertinent information, or leave unfiltered to display all activity. The View Logs windowprovides detailed information on all connections and connection attempts made.The log file messages format has changed. A log message now consists of a message code, message text, anda parameter list. For example, a message that once appeared like this:“Jun 27 14:45:16.864 felix rtspd[590]: 120 rtspd Info: Daemon Started”