28 March 2011

TMG logs and reports view of system and enterprise rule usage

If you want to see whether a specific rule is being hit by a request you simple select the rule form the logs and reports edit filter screen and you can see only traffic hitting that rule.  This is very handy for troubleshooting, also for rule maintenance as described in http://fixmyitsystem.com/2011/03/tmg-rule-maintenance-optimisastion-and.html

The problem is that in the Logs and Reports view the list of rules are filtered.  So you cannot see rules that are of the following policies:

  • System
  • Enterprise

You can however still manually specify these and see the result for those rules.

When specifying the rule equals to filter in the you can manually type in the name of the rule.

To get the name of the rule you will have to list them in them or show them in the Firewall policy screen.  From the Task pane click on Show System Policy Rules and if your array is port of an enterprise you can also click on Show Enterprise Policy Rules.

This will now show all the rules.  Double click the rules.  Copy the rule name (some are long - really long) and when specifying in the filter remember to prefix [System] or [Enterprise].

It would have been nice if the log filter could detect if you were showing the additional rules and list them for selection too.  But alas it does not.

There is another way of analysing the usage of these rules.  This is more for reporting purposes.  And that is to use Webspy to analyse your logs.   You will need to import the Firewall logs and not just the proxy logs.  Some of these rules will show up in the proxy logs, but not all of them since they are used by the firewall component. Now when you do an analysis you can list and filter based in the rule names.  This list includes System and Enterprise rules by default.

If you know how to, you can finally track and see where the traffic is going if it is affected or picked up by an Enterprise or System rule that you might not expect.

No comments:

Post a Comment