Logging & Monitoring of ACL rules
After couple attempts at truly isolating my VLANs resulted in locking myself out of my network, I'm looking into giving it another shot.
Troubleshooting such failures is limited to disabling deny rules.
I don't even know how reliable that is because the time it takes for rule changes to be picked up is not clear.
I expecting to find some setting allow me to log which rules fired (especially deny rules).
I didn't find anything like this in the Controller interface.
While looking for something else, I stumbled on this in the Controller User Guide REV 5.12, specifically in the Gateway ACL section:
My OC200 features Controller Version: 5.13.30.20. The Help Center mentions the same capability.
Yet the Log option is still nowhere to be found in the actual screen.
Just in case the remote logging is a pre-requisite, I tipped up a syslog server on my media center and pointed my OC to it (on that note, it'd be nice to know whether devices where going to use UDP or TCP for syslog). I verified it worked by logging off and back on.
No changes in the Gateway ACL screen though... Still no Log option.
Is my gateway (ER605 v1 with FW 1.3.1) not supporting this feature? Is this the reason why I don't see this option?
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
EricPerl wrote
After couple attempts at truly isolating my VLANs resulted in locking myself out of my network, I'm looking into giving it another shot.
Troubleshooting such failures is limited to disabling deny rules.
I don't even know how reliable that is because the time it takes for rule changes to be picked up is not clear.
I expecting to find some setting allow me to log which rules fired (especially deny rules).
I didn't find anything like this in the Controller interface.
While looking for something else, I stumbled on this in the Controller User Guide REV 5.12, specifically in the Gateway ACL section:
My OC200 features Controller Version: 5.13.30.20. The Help Center mentions the same capability.
Yet the Log option is still nowhere to be found in the actual screen.
Just in case the remote logging is a pre-requisite, I tipped up a syslog server on my media center and pointed my OC to it (on that note, it'd be nice to know whether devices where going to use UDP or TCP for syslog). I verified it worked by logging off and back on.
No changes in the Gateway ACL screen though... Still no Log option.
Is my gateway (ER605 v1 with FW 1.3.1) not supporting this feature? Is this the reason why I don't see this option?
Hi @EricPerl
You need to enable the remote logging function if you want to use this function. But the Remote Logging is only available on the MSP mode. In MSP View, go to Settings > MSP Settings, and go to Services, enable Remote Logging,
Or may I know more details about your request? For example, what is your network topology and what kind of scenario you would like to achieve?
- Copy Link
- Report Inappropriate Content
Hi @Hank21 ,
I'm even more confused now.
On my OC200 V2 with Controller Version 5.13.30.20, I found couple places where I could enable Remote Logging.
The first one was in the Controller Settings in Global View (Services frame).
The second one was in Site Settings for my only site (Services frames as well).
The pic I pasted in my original post is from the Gateway ACL section (page 104), nowhere near the MSP stuff.
[Edit: The Help Center for Settings->Site Settings-> Network Security->ACL->Gateway ACL has this bit too
]
My OC200 does not expose that MSP option and that seems quite involved anyway...
My topology is quite simple.
I have the following devices (indentation represents what's plugged into what):
ER605 V1
TL-SG2008P V1
OC200 V1
TL-SG2008 V3
EAP245 V3
I'm fairly constrained on the physical wired network by the wiring of my house (every room wired to a comm panel).
I have all devices near the comm panel, apart from the second switch that's in a room with a bunch of equipment (printer, PC, media & gaming stuff).
I have another with multiple devices but they all fit in the same category so an dumb switch is fine there.
My goal is to achieve some form of isolation between clients of various trustworthiness (Network, Productivity, Alarm, Fun, IoT).
Since my physical topology doesn't allow clean isolation, I'm doing it using VLANs.
The VLAN setup was easy enough, but given the built-in inter-VLAN routing, that only buys me a hurdle to discovery (and maybe some perf).
So I played with ACLs once and got burned. I'm giving it another go.
The absence of logging makes things more difficult.
- If I make a mistake while setting up my ACLs, logging would help pointing me at the offending rule while I test main use cases.
- I might have a device on my network that's hacked, e.g. an IoT device trying to access my PCs, and while an ACL might protect me, I have almost no way to discover the compromise and repair or discard the hacked device.
- I also fear there's some use case that's not core and that I won't verify right away could be broken. A log entry might alert me preemptively (hmm, this client is trying to communicate to that client, maybe that's legit and I can do some additional research).
- Copy Link
- Report Inappropriate Content
Hi @EricPerl
The ACL entry effective log will request you to enable the remote logging in MSP mode. However, currently the hardware controller cannot support MSP mode.
I will forward your request to the developer department and see whether this kind of log will be added in the future.
- Copy Link
- Report Inappropriate Content
Hi @Hank21,
So maybe put another way, the Controller UX to enable logging of ACL rules only exists for MSPs (to help their customers).
I assume/hope the devices doing the actual logging are not aware of such distinction. In other words, if logging is enabled, they'd just log.
That would make for a UX only fix...
I want this for my home use. I can't believe small/medium business customers would not require this.
There's an amount of flying blind currently that I'm not really comfortable with...
Note that most existing log entries from the "Attack Defense" category are lacking critical information to be actionable.
In my experience, only one kind of log entry has source information (the large ping attack).
All the others I see don't have any information!
Maybe that should be a separate post entirely.
Anyway, looking forward to good news on this thread for now.
- Copy Link
- Report Inappropriate Content
Any update on this ? was exploring the ACL then found this in the help options, i want to check if my ACL is running as it should be, this can be very helpful on troubleshooting the ACLs.
- Copy Link
- Report Inappropriate Content
@Jeesoon1 , nope. And I don't have high hopes my ER605 v1 would benefit from this fix.
The entire attack defense reporting is so lame that I'm about to experiment with OpnSense in bridge mode. It's supposedly completely transparent to the rest of the network...
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 898
Replies: 6
Voters 0
No one has voted for it yet.