Set Logging and Notification Preferences

For a packet filter or proxy policy, this check box appears in the Logging settings.

When you select this check box, the Firebox sends a log message when an event occurs that matches the configuration in the policy. You can review these log messages in Traffic Monitor and Log Manager.

For a proxy policy or a packet filter policy that denies connections, log messages are also used to generate reports. For a packet filter policy that allows connections, you must select this option to view log messages for connections the policy allows. Logging of allowed traffic is not enabled by default, but can be useful for troubleshooting.

If you do not have to actively monitor allowed connections in the log file, we recommend you do not select Send a Log Message for policies that allow traffic. This increases CPU load on the Firebox and reduces log storage in Dimension.

In Fireware v12.7 and higher, you can select an option to specify the maximum number of log messages the Firebox generates for some types of events. The options are:

• Set Maximum Log Rate — Specify the maximum number of log messages for each minute
• Unlimited — Do not limit the number of log messages

You can configure the log rate for Blocked Sites, Blocked Ports, and these Default Packet Handling categories:

• IP Spoofing Attacks
• Port Scan
• IP Scan
• IP Source Route
• IPSec, IKE, SYN, ICMP, UDP Flood Attacks
• DDOS Attack Destination
• DDOS Attack Source

The log rate you specify for Blocked Sites also controls the maximum number of Geolocation log messages.

Log rate limits apply to all logs of that type, regardless of the event that generates the log that reaches the limit. For example, if you set the Blocked Ports log rate limit to 5, after the Firebox generates 5 Blocked Ports logs in a minute, it does not generate any more Blocked Ports logs until the next minute.

For a packet filter policy that allows connections, this check box appears in the Logging settings.

For proxy policies, this setting is in the proxy action, and is called Enable Logging for Reports.

When you select this check box, the Firebox sends log messages used to generate reports about allowed connections.

When you select this check box, the Firebox sends an event notification to the SNMP management system. Simple Network Management Protocol (SNMP) is a set of tools used to monitor and manage networks. An SNMP trap is an event notification the device sends to the SNMP management system when a specified condition occurs.

If you select the Send SNMP Trap check box and you have not yet configured SNMP, a dialog box opens and asks if you want to do this. Click Yes to go to the SNMP Settings dialog box. You cannot send SNMP traps if you do not configure SNMP.

For more information about SNMP, go to:

• About SNMP
• Enable SNMP Management Stations and Traps for a Locally-Managed Firebox
• About SNMP Traps for Alarms

When you select this check box, the Firebox generates an alarm log message that contains alarm_type=email when the specified event occurs. All alarm messages appear in the Alarms report. You can also receive notification about alarms. For more information about notification, go to About Notification.

This setting enables the Firebox to send log messages required to generate the Alarms report, even if other logging settings are disabled.

When Dimension, WatchGuard Cloud, or a WSM Log Server receives the alarm log message, it can send an email notification to specified email addresses. For the server to send email notifications, you must configure email notification settings and email recipients in WatchGuard Cloud, Dimension, or WSM Log Server. For more information about how to configure email notification settings, go to:

• Dimension — Configure Notification Settings for Dimension
• WatchGuard Cloud — Configure Rules for Notifications
• WSM Log Server — Configure Notification Settings for the Log Server

You can enter values for these options to limit the number of notifications in a specified period of time:

• Launch Interval — The time (in minutes) for the notification interval. This limits the notifications sent for the same event to the number specified in the repeat count for the specified period of time.
• Repeat Count — The maximum amount of notifications to send. When the number of notifications sent is equal to the repeat count, the Firebox sends no further notifications until the time specified in the launch interval expires.

For example, you set Launch Interval to 10 minutes and Repeat Count to 4. The Firebox detects a port space probe that starts at 10:00 AM and continues each minute. The Firebox starts to generate log messages and notifications for the event.
These actions occur at these times:

• 10:00 — Initial port space probe (first event)
• 10:01 — Second event starts (first repeat count notification)
• 10:02 — Third event starts (second repeat count notification)
• 10:03 — Fourth event starts (third repeat count notification)
• 10:04 — Fifth event starts (fourth repeat count notification)
• 10:05 — Sixth event starts (no notification until the launch interval expires at 10:10)

When you select this check box, the Firebox generates an alarm log message when the specified event occurs. All alarm messages appear in the Alarms report. You can also receive notification about alarms. For more information about notification, go to About Notification.

This setting enables the Firebox to send log messages required to generate the Alarms report, even if other logging settings are disabled.

When you enable notification, you specify a notification method. This sets the alarm type in the log message, and controls how you can receive notification when the event occurs. Select one of these options:

Email

The Firebox sends an alarm log message that contains alarm_type=email.

When Dimension, WatchGuard Cloud, or a WSM Log Server receives the alarm log message, it can send an email notification to specified email addresses. For the server to send email notifications, you must configure email notification settings and email recipients in WatchGuard Cloud, Dimension, or WSM Log Server. For more information about how to configure email notification settings, go to:

• Dimension — Configure Notification Settings for Dimension
• WatchGuard Cloud — Configure Rules for Notifications
• WSM Log Server — Configure Notification Settings for the Log Server

Pop-Up Window

The Firebox sends an alarm log message that contains alarm_type=pop-up.

If you select this option, the alarm log message appears in the Alarms report, but no other alert or email notification is generated.

When you select Pop-Up Window, you can enter values for these options to limit the number of notifications in a specified period of time:

• Launch Interval — The time (in minutes) for the notification interval. This limits the notifications sent for the same event to the number specified in the repeat count for the specified period of time.
• Repeat Count — The maximum amount of notifications to send. When the number of notifications sent is equal to the repeat count, the Firebox sends no further notifications until the time specified in the launch interval expires.

For example, you set Launch Interval to 10 minutes and Repeat Count to 4. The Firebox detects a port space probe that starts at 10:00 AM and continues each minute. The Firebox starts to generate log messages and notifications for the event.

These actions occur at these times:

• 10:00 — Initial port space probe (first event)
• 10:01 — Second event starts (first repeat count notification)
• 10:02 — Third event starts (second repeat count notification)
• 10:03 — Fourth event starts (third repeat count notification)
• 10:04 — Fifth event starts (fourth repeat count notification)
• 10:05 — Sixth event starts (no notification until the launch interval expires at 10:10)

WSM Log Server no longer supports pop-up window notification. We recommend you select the default Email notification method in Fireware v12.10.4 and lower.