Introduction

One important part of firewall security is being aware of what traffic is going through your firewall. For instance, if you are under an attack, you will be able to react appropriately. Check Point VPN-1/FireWall-1 provides you with the ability to set up alerts based on certain criteria, and you can add some of these alerts directly into your rule base under the Track column in your Security Policy Editor. You can even decide what action to take if a certain alert is raised.

For example, you could put an alert command in the Track column of your Drop All rule, and configure it to page you if it matches 20 drops every five minutes. You would have to be careful about filtering out noisy services like Netbios (nbname, nbsession, and nbdatagram); otherwise you may get paged once every five minutes. Setting up an alarm like this, however, could help you detect port scans on your network.

VPN-1/FireWall-1 NG comes with a Check Point Malicious Activity Detection system, CPMAD for short. This system is enabled when you install the software, and has a basic set of configuration options. We will discuss the configuration files and show you how to modify alert commands in this chapter.

Alerts Commands

Your main day-to-day interaction with the firewall will be the handling of alerts that it generates. These alerts are generated by the rules you have configured, and are also customizable. Using the Policy Editor GUI, you can customize the various alert types.