General Report Settings for ScreenOS Devices Overview
The Report Settings screens contain reporting options that you can set for the device. In the Device dialog box, open the Report Settings heading to see the configuration options.
For information about configuring reporting settings, General Report Settings for ScreenOS Devices Overview.
For more information about reporting concepts for the security devices, see the “Administration” volume in the Concepts & Examples ScreenOS Reference Guide.
Use the General Report settings to configure the severity levels of the messages you want to log and where you want those messages sent. As of ScreenOS 6.3, there are about nine destinations for log messages. You can enable or disable the option to include serial numbers in log messages. Each system event on a security device is assigned a level of severity. By default, packets that are dropped on the security device are logged to the self log. In the Firewall Options, you can disable or enable logging of dropped packets for specific traffic types, including ICMP, IKE, SNMP, and multicast packets.
You can also use this tab to set thresholds determining how many packets of a particular type the packet process unit (PPU) sends to the CPU per second, before dropping subsequent packets of that type. The PPU is a hardware processor in some security device systems that forwards packets to the flow CPU. Enabling PPU packet drop thresholds adds an extra layer of DoS-attack protection to the device, similar to SYN-cookie and SYN-proxy. PPU protection prevents DoS attacks from overwhelming the flow CPU, keeping the CPU responsive to critical tasks even under heavy traffic. PPU protection processes three categories of traffic: packets that do not use the IP protocol; packets carrying contents other than TCP or UDP; and system-critical IP packets, including BGP, OSPF, RIP, SNMP, system management, SIP, and H323 traffic. Table 1 describes the general report settings.
Table 1: General Report Settings
Email Notification Settings
Configures a device to send messages using e-mail whenever a system event of Emergency, Alert, Critical, or Notification severity level occurs. To configure e-mail notification, you must specify the SMTP mail server and at least one e-mail address; if desired, you can enter a secondary e-mail address as well.
Configures a device to report specified events to NSM. You configure the primary IP address of the NSM Device Server and select the categories of events that are tracked on the security device and reported to NSM. You can also set the interval at which the NSM device server polls for policy statistics and protocol distribution events.
Configures the Simple Network Management Protocol (SNMP) agent for a device. The SNMP agent provides a view of statistical data about the network, the devices in it, and system events of interest.
You also must enable SNMP manageability on the interface through which the applicable SNMP manager communicates with the SNMP agent in the security device.
Configures a device to generate syslog messages for system events at predefined severity levels. It also generates messages for all event and traffic log entries that the security device can store internally. It sends these messages over UDP (port 514) to up to four designated syslog hosts running on UNIX/Linux systems. When you enable syslog reporting, you also specify which interface the security devices use to send syslog packets.