[logs] Checkpoint Firewall rulebase - logs

[tbird at precision-guesswork.com]

Quoting James <jimbob.coffey at gmail.com>:

> Unfortunately not (at least on NGX). -n disables hostname resolution
> but not service name resolution <sigh>. A trick I have mentioned to
> tbird is to name your services
>
> <protocol>_<port_number>
> eg tcp_80

Hi all -- Sorry for the relatively late response to this message, but  
I've been travelling and doing other out-of-character things  
(babysitting???).

Chris Brenton first pointed out to me the usefulness of naming  
"things" in such a way to make your log management and reporting  
easier, whether by embedding service names the way James describes; or  
naming devices in a systematic way to simplify keeping track of what  
they do.

It's really easy for us to get distracted by all the glam parsing and  
sorting and reporting tools out there, so in my book it's especially  
important to remember the boring, easy, and amazingly effective  
"topological" mechanisms that are available.

Another example of this type of simplification: DMZ log management. In  
the ideal (perhaps imaginary) tbird world, a DMZ contains a small  
number of hosts running a limited number of network protocols. This  
makes artificial ignorance processing dead easy: generate an alert for  
anything that is *not* (for instance) SMTP, HTTP, SSL, DNS. I know  
it's difficult to change network topologies in most places, but when  
you're deploying new systems, try to remember to design things in ways  
that make them easy to monitor and manage...

yours truly -- tbird on a soapbox

Happy Monday!