In a profession where data and the knowledge of how to use it are critical commodities, firewall logs can provide an incredible degree of insight and information. This information can be used not only to provide help in the day-to-day administration and troubleshooting of the firewall, but can also be used to provide forensics and incident response and containment capabilities. It is of critical importance that the firewall logs be reviewed on a regular and routine basis and that the logs be normalized and stored for a long duration to ensure that the information contained in the logs is easily deciphered and readily recoverable. Although you want to look for events that denote potential problems, you also want to look for events that are normal and routine, to help develop a feel for what the normal operation and function of the firewall is. This will in turn make it much easier for you to identify events and situations that are abnormal and require additional investigation and response. |