When configuring your firewall, you should always specify the IP address of the logging host. You can also specify a minimum severity level. You can use the IP address of a VLAN interface or the IP address of a DHCP server as the source IP address. Whether you want to use a static or dynamic IP address will depend on your needs and the environment where you are deploying your firewall.
Configuring a logging host
Configuring a logging host IP address is an important part of the logging process. This step enforces the logging process and prevents logs from other hosts from being viewed. The logging host IP address is designated for the syslog server. A syslog server is not a remote host, but rather a server where system logging messages are stored.
In order to configure a logging host IP address, you need to determine which devices will send logs to the log host. You can use nslookup to find the IP address of the device that is sending logs. The 192.168.0.1 log host can then retrieve the messages from that device.
Specifying a minimum severity level
Specifying a minimum severity level for an IP address is one way to ensure that your messages are routed to the right destination. By default, messages are routed to a user terminal, but you can specify another destination in the same command. The severity level specifies the severity of the triggering event. For example, if your IP address is pinging an external network, you should specify the severity level of the ping.
The severity level controls which messages are logged. The severity levels listed are emergency, info, and warning. Each severity level has associated types of messages. Messages from level 0 through 5 are classified as informational. The default severity level is warning.
Using a VLAN interface as a source IP address
If you are using VLAN interfaces as source IP addresses, make sure to enable anti-spoofing protections for them. This prevents attackers from spoofing addresses by arriving on the wrong interface. Also, make sure to monitor for URPF events, which can cause packets to arrive on the wrong interface and thus spoof the trust level.
Using a VLAN interface as logging requires configuration. First, you must create a VLAN. A VLAN is a virtual network within a physical network. It allows you to plug in multiple devices to the same physical network.
Using a DHCP server as a source IP address
Using a DHCP server as an IP address source for logging enables administrators to view and log information about IP addresses assigned to client machines. This log information can be helpful for routine maintenance and fault location. For example, the DHCP server’s logging feature can track IP address leases for devices in various address pools, allowing administrators to quickly locate a problem and resolve it.
DHCP servers provide IP addresses to clients via a broadcast message, using a protocol called Dynamic Host Configuration Protocol (DHCP). DHCP servers also assign network parameters to client devices, such as subnet masks, IP addresses, and default gateways. Each client can use all the network parameters it receives from a DHCP server.