Getting the Most out of your Firewall Logs

A good security solution has many layers or components, commonly referred to as 'Defense in Depth'. Regardless of which types of security solutions are being implemented, logging is critical to ensure their implementation is running smoothly as well to keep tabs on what is happening in an environment. While it is easy to suggest that all logs should be looked on a weekly, if not daily basis, the amount of information commonly logged is so great and often times in a format that is difficult to understand, it becomes a tedious job that more times than not gets overlooked. As a result logs are either not reviewed at all or given a cursory review, which results in the most critical items being missed altogether. One security solution that nearly every organization deploys is a firewall. Once a firewall has been chosen, much time and effort is dedicated to installing the firewall and configuring its ruleset. A typical firewall will generate large amounts of log information. The goal of this paper is use the logs of CheckPoint FW-1 v4.1 and provide examples of tools that will automate the process of maintaining and monitoring a firewall's logs.