• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Packet Filter Logfile - RULE Field?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Packet Filter Logfile - RULE Field? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Packet Filter Logfile - RULE Field? - 5.Nov.2004 11:58:00 AM   
Andrew Terry

 

Posts: 19
Joined: 21.Oct.2004
Status: offline
When I'm viewing my packet filter log file, all I see in the "Rule" field is the word "BLOCKED" (I'm not logging allowed packets, by the way).

Have I misunderstood what this field is for? I would have expected to see a rule number, or a description....

Do I have to go back through my rules, and see what ports they're blocking, and then marry that up with the source/destination ports shown in the log file?

Cheers

Andrew
Post #: 1
RE: Packet Filter Logfile - RULE Field? - 6.Nov.2004 1:56:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Andrew,

that's by design! [Razz]

You should take a look into the Web Proxy and Firewall logs too. There you'll find more detailed info about which rule denied the request.

HTH,
Stefaan

(in reply to Andrew Terry)
Post #: 2
RE: Packet Filter Logfile - RULE Field? - 8.Nov.2004 6:33:00 PM   
Andrew Terry

 

Posts: 19
Joined: 21.Oct.2004
Status: offline
Hi Stefaan

I did wonder about that... so I searched through the web and firewall logs for the "offending" IP; and even the date/time combination but couldn't find a match, so I'm still not able to tie down which rule has been broken...

I must be missing something... do you have any suggestions?

Cheers

Andrew

(in reply to Andrew Terry)
Post #: 3
RE: Packet Filter Logfile - RULE Field? - 11.Nov.2004 10:45:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Andrew,

first of all, I strongly recommend to enable the logging of all fields. Also, check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000067 .

To better understand what is logged, check out the section called 'Firewall and Web Proxy log fields' in the ISA help file. Additional information can be found in the following articles:
- http://support.microsoft.com/default.aspx?scid=kb;en-us;284818
- http://support.microsoft.com/default.aspx?scid=kb;en-us;193625
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winsock/winsock/windows_sockets_error_codes_2.asp

Of course, keep in mind that if it are inbound packets who are blocked you will not find a corresponding entry in the Firewall and Web Proxy log.

HTH,
Stefaan

(in reply to Andrew Terry)
Post #: 4
RE: Packet Filter Logfile - RULE Field? - 12.Nov.2004 11:59:00 AM   
Andrew Terry

 

Posts: 19
Joined: 21.Oct.2004
Status: offline
Hi Stefaan

Great advice - as ever - and, thanks for those links.

I guess it's frustration of ISA2K that the inbound packet logs aren't specific about which rule has been invoked when a packet is blocked...

Cheers

Andrew

(in reply to Andrew Terry)
Post #: 5
RE: Packet Filter Logfile - RULE Field? - 12.Nov.2004 11:43:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Andrew,

well that's by design! [Big Grin]

However, the good news is that ISA 2004 has an 'integrated' and excellent logging! [Cool]

HTH,
Stefaan

(in reply to Andrew Terry)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Packet Filter Logfile - RULE Field? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts