test

SunScreen 3.1 Reference Manual

Packet Logging

SunScreen provides flexible logging of packets. This means that each primary and secondary Screen keeps a log of its traffic. Logs of the packets are kept on the Screen that passed or rejected the packets.

You can configure Screen to log a packet when it matches a rule or when it does not. Most frequently, packets matching DENY rules or packets that are dropped because they do not match any rule are logged. The action defined in a rule controls whether a packet is logged and what information about the packet is recorded.

Examining logged packets is useful when you are trying to identify the causes of problems during configuration or administration. You should also examine logs periodically for evidence of attempts to break into your network.

Each machine in an high availability (HA) cluster logs what that system passed or rejected, as well as any locally processed nonpacket events.

The active Screen in an HA cluster will log packets. As log entries become more extended, such events as nonpacket and nonsession entries in the logs of the passive Screens appear.

Logging Limitations

The following limitations apply to logging:

  1. During a situation or time when there is excessive traffic through the Screen, not all packets are logged.

This logging limitation is an isolated instance and depends on how fast your system runs.

  1. Decrypted packets are logged, but SKIP certificate IDs are not logged.

  2. Only the active system logs packets.

When the active HA cluster Screen fails, its logs become inaccessible, and the new active HA cluster Screen begins logging the packets.

Save Is Not Required With Certain Common Objects

It is not necessary to type save before quit if only authuser, adminuser, proxyuser, logmacro, or vars entities are altered. The following is an example of the nonfatal message you see if you attempt to save without changing entities other than these types. You can simply quit the configuration editor:


edit> save
lock not held failed (status 244)

These items are available for immediate use on the Screen where they have been defined. It is not necessary to activate each change in a log macro to use it. However, to propagate log macro definitions from a primary Screen to secondaries, you must activate the configuration.