Tài liệu 5Module 8: Monitoring and Reporting pdf

Contents Overview 1 Planning a Monitoring and Monitoring Intrusion Detection 3 Monitoring ISA Server Activity 14 Analyzing ISA Server Activity by Monitoring Real-Time Activity 27 T

Contents

Overview 1

Planning a Monitoring and

Monitoring Intrusion Detection 3

Monitoring ISA Server Activity 14

Analyzing ISA Server Activity by

Monitoring Real-Time Activity 27

Testing the ISA Server Configuration 32

Lab A: Monitoring and Reporting 34

Review 41

Module 8: Monitoring and Reporting

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructional Designer: Victoria Fodale (Azwrite LLC)

Technical Lead: Joern Wettern (Independent Contractor)

Program Manager: Robert Deupree Jr

Product Manager: Greg Bulette

Lead Product Manager, Web Infrastructure Training Team: Paul Howard

Technical Contributors: Ronald Beekelaar, Adina Hagege, Eran Harel, John Lamb, Lucian Lui,

Ron Mondri, Thomas W Shinder, Bill Stiles (Applied Technology Services), Kent Tegels, Oren Trutner

Graphic Artist: Andrea Heuston (Artitudes Layout & Design)

Editing Manager: Lynette Skinner

Editor: Stephanie Edmundson

Copy Editor: Kristin Elko (S&T Consulting)

Production Manager: Miracle Davis

Production Coordinator: Jenny Boe

Production Tools Specialist: Julie Challenger

Production Support: Lori Walker ( S&T Consulting)

Test Manager: Peter Hendry

Courseware Testing: Greg Stemp (S&T OnSite)

Creative Director, Media/Sim Services: David Mahlmann

CD Build Specialist: Julie Challenger

Manufacturing Support: Laura King; Kathy Hershey

Operations Coordinator: John Williams

Lead Product Manager, Release Management: Bo Galford

Group Manager, Business Operations: David Bramble

Group Manager, Technical Services: Teresa Canady

Group Product Manager, Content Development: Dean Murray

General Manager: Robert Stewart

Instructor Notes

This module provides students with the knowledge and skills to monitor Microsoft® Internet Security and Acceleration (ISA) Server 2000 activities by

using alerts, logging, reporting, and real-time monitoring

After completing this module, students will be able to:

Plan a strategy for monitoring and reporting ISA Server activities

Configure alerts to monitor intrusion detection

Configure logging to monitor ISA Server activity

Use reports to analyze ISA Server activity

Monitor ISA Server computer activity

Test the ISA Server configuration

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 2159A_08.ppt

The file C:\MOC\2159a\Labfiles\Lab09\portscan.cmd

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the lab

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read “Configure Monitoring and Reporting,” “Monitoring and Reporting,”

“Event Messages,” and “Performance Counters” in ISA Server Help

Read Module 8, "Monitoring and Optimizing Performance in

Windows 2000," in Course 2152B, Implementing Microsoft Windows® 2000 Professional and Server

Review the \sdk\bin\isasdk.chm file on the ISA Server compact disc

Presentation:

45 Minutes

Lab:

30 Minutes

Instructor Setup for Lab Lab A: Monitoring and Reporting

1 Open a command prompt window

2 At the command prompt, type cd C:\MOC\2159a\Labfiles\Lab8

3 When a student asks you during the lab to perform a simulated port scan

attack, type portscan ip_address (where ip_address is the IP address of the

student’s ISA Server computer on the classroom network), and then press ENTER

Module Strategy

Use the following strategy to present this module:

Planning a Monitoring and Reporting Strategy Begin the module by describing the guidelines to consider when planning a monitoring and reporting strategy

Monitoring Intrusion Detection When describing the different types of network intrusion, do not explain each attack in detail, but use one or two of them as examples Emphasize that although ISA Server generates events when an intrusion attack occurs, ISA Server generates alerts only if you specifically configure ISA Server to

do so Do not cover all of the ISA Server events in detail Instead, refer students to ISA Server Help for more information about specific events

Monitoring ISA Server Activity Explain that logging to a database can centralize ISA Server logs and secure the log data Emphasize that logging both allowed packets and blocked packets can cause a considerable load on the server and that you should enable logging for allowed packets for diagnostic purposes only

Analyzing ISA Server Activity by Using Reports Explain that ISA Server reports require summaries of saved logs and that you can create an ISA Server report only after ISA Server has created at least one daily summary Emphasize that if a server belongs to a multi-server array, the administrator generating the reports must have the appropriate permissions on each ISA Server computer in the array Briefly display an example of each report format to illustrate the contents of the reports

Monitoring Real-Time Activity Explain that the ISA Server real-time monitoring feature enables you to centrally monitor ISA Server computer activity, including the current

sessions Point out the ISA Server Performance Monitor on the Microsoft

ISA Server menu

Testing the ISA Server Configuration Explain that after configuring ISA Server, it is recommended that you test your configuration to ensure that ISA Server correctly enforces the security settings Explain that you can use a third-party intrusion detection system or the applications that are included with Windows 2000 to test the ISA Server configuration

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing

Microsoft Internet Security and Acceleration Server 2000

of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Install the Firewall Client manually

Important

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Acceleration Server 2000

Configure the default gateway manually

Setup Requirement 5

The lab in this module requires that Microsoft Internet Explorer be configured

on all student computers to use the ISA Server computer as a Web Proxy server To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 2, “Installing and Maintaining ISA Server,” in Course

2159A, Deploying and Managing Microsoft Internet Security and

Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,

Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Create the rule manually

Setup Requirement 8

The lab in this module requires that packet filtering be enabled on the ISA Server computer To prepare student computers to meet this requirement, perform one of the following actions:

Complete Module 6, “Configuring the Firewall,” in Course 2159A,

Deploying and Managing Microsoft Internet Security and Acceleration Server 2000

Enable packet filtering manually

Lab Results

Performing the lab in this module introduces the following configuration changes:

Intrusion detection is enabled

Alerts are configured for port scanning

Reports are created

The ISA Server computer is published as a Network News Transfer Protocol (NNTP) server

The ISA Server client computer is published as a Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) server

Overview

Planning a Monitoring and Reporting Strategy

Monitoring Intrusion Detection

Monitoring ISA Server Activity

Analyzing ISA Server Activity by Using Reports

Monitoring Real-Time Activity

Testing the ISA Server Configuration

Without a monitoring and reporting strategy in place for a Microsoft® Internet Security and Acceleration (ISA) Server 2000 computer, network administrators may be unaware of important events or trends, be confronted with a profusion

of false alerts, or configure logs and reports that do not monitor the appropriate activities By using alerts, logs, reports, and real-time monitoring effectively, network administrators can better manage the activities that can compromise the security or the performance of an ISA Server computer In addition, network administrators can use specialized assessment tools to monitor network security

After completing this module, you will be able to:

Plan a strategy for monitoring and reporting ISA Server activities

Configure alerts to monitor intrusion detection

Configure logging to monitor ISA Server activity

Use reports to analyze ISA Server activity

Monitor ISA Server computer activity

Test the ISA Server configuration

In this module, you will learn

about monitoring ISA Server

activities by using alerts,

logging, reporting, and

real-time monitoring

Planning a Monitoring and Reporting Strategy

Categorize the information that you need to collect Determine what information is most critical Document your strategy

Create a schedule for regular review of logs Design a plan for archiving logs

Create a strategy for how to respond to critical events

Consider the following guidelines when you plan a monitoring and reporting strategy:

Categorize the information that you need to collect, including the following items:

• Real-time alerts

• Trends of performance

• Trends of security-related events

Determine the information that is the most critical, and then:

• Configure real-time alerting for only the most critical issues

• Review the logs frequently for events that may signal serious issues and that may require prompt, but not immediate, attention

• Review all of the logs for important trends Ensure that your summary reports capture the information that is the most important to you

Document your strategy

Create a strategy for how to respond to critical events, such as:

• Network security breaches

• Denial of services attacks

• Unusual usage patterns

Create a schedule for regular review of the logs

Design a plan for archiving the logs

• You can use archived logs to discover trends, to investigate the source of future alerts, or for legal purposes

Topic Objective

To describe guidelines to

consider when planning a

monitoring and reporting

strategy

Lead-in

Consider the following

guidelines when you plan a

monitoring and reporting

strategy

Monitoring Intrusion Detection

IP Packet–Level Attacks

Application–Level Attacks

Configuring Intrusion Detection

ISA Server Events

Configuring Alerts

Configuring Advanced Alert Properties

ISA Server includes an integrated intrusion detection system You can set an alert to trigger when the intrusion system detects an attack or a specific system event ISA Server can implement intrusion detection at both the Internet Protocol (IP) packet level and the application level

You can also configure actions for the system to perform when the intrusion system detects an attack on a computer in your network These actions can include sending an e-mail message or a page to the administrator, stopping the Microsoft Firewall service, writing to the system event log, or running a program or script

Although alerts are an important tool for monitoring intrusion attempts, you can also use the alerting capabilities of ISA Server as part of a more comprehensive monitoring strategy For example, you can configure alerts so that ISA Server notifies you when an ISA Server service shuts down unexpectedly

Remind students that

although this course

presents alerting in the

context of intrusion

detection, students can also

use alerting for other

purposes

Important

IP Packet–Level Attacks

All Ports Scan Attack

IP Half Scan Attack

Land Attack

Ping of Death Attack

UDP Bomb Attack

Windows Out-of-Band Attack

At the IP packet level, ISA Server can detect the following attacks:

All ports scan attack Occurs when an intruder attempts to gain access to

more than the preconfigured number of ports The administrator specifies a threshold for ports, which then determines the number of ports that are available for access Intruders use port scanning to find open ports on a computer Open ports represent entry points into a computer and an attacker may subsequently attempt attacks through one or more of these ports

IP half scan attack Occurs when an intruder makes repeated attempts to

connect to a destination computer and the TCP packets contain certain flags This action can indicate that an attacker is probing for open ports, while evading logging by the system

Land attack Occurs when an intruder establishes a Transmission Control

Protocol (TCP) connection with a spoofed source IP address and port

number that matches a destination IP address and port number Spoofing

refers to tricking a computer to provide information to allow unauthorized access by using a false IP address A land attack can cause computers that are running certain TCP implementations to stop responding, which denies service to legitimate users

Ping of death attack Occurs when an intruder adds a large amount of data

to an Internet Control Message Protocol (ICMP) echo request packet This attack can cause computers that are running certain TCP implementations to stop responding, which denies service to legitimate users

Topic Objective

To describe the types of

attacks that ISA Server can

detect at the IP packet level

Lead-in

At the IP packet level,

ISA Server can detect the

following attacks

Delivery Tip

Point out that all attacks at

the IP packet level attempt

intrusion by using a single

IP packet or a connection

sequence

Do not explain each attack

in detail, but use one or two

of them as examples

UDP bomb attack Occurs when an intruder attempts to send an illegal User

Datagram Protocol (UDP) packet A UDP packet that is constructed with illegal values in certain fields will cause computers that are running some older operating systems to crash when the packet is received

Windows band attack Occurs when an intruder attempts an

out-of-band, denial-of-service attack against a computer that is protected by

ISA Server A denial-of-service attack is an attempt to disable a computer or

network This attack can cause the computer to stop responding or to lose network connectivity

Application–Level Attacks

DNS Hostname Overflow

DNS Length Overflow

DNS Zone Transfer from Privileged Ports (1–1024)

DNS Zone Transfer from High Ports (Above 1024)

POP Buffer Overflow

At the application level, ISA Server can detect the following attacks:

DNS hostname overflow Occurs when a Domain Name System (DNS)

response for a host name exceeds a certain fixed length This attack can cause improperly written applications that do not check the length of the host names to overflow the internal buffers when copying the host name This attack can allow a remote attacker to execute arbitrary commands on a targeted computer

DNS length overflow Occurs when an IP address contains a length field

with a value larger than 4 bytes This attack can cause improperly written applications that perform DNS lookups to overflow the internal buffers This attack can allow a remote attacker to execute arbitrary commands on a targeted computer

DNS zone transfer from privileged ports (1–1024) Occurs when a computer

uses a DNS client application to transfer zones from an internal DNS server DNS zone information should not usually be transferred to external

computers, because it may contain sensitive information about your network The ports between 1 and 1024 are privileged ports, which are reserved for server applications Typically, a zone transfer request from a port number between 1 and 1024 indicates that the request originates from a server application, although there is no guarantee that it originates from a server application

DNS zone transfer from high ports (above 1024) Is similar to a DNS zone

transfer from a privileged port Typically, a zone transfer request from a port number over 1024 indicates that the request originates from a client application, although there is no guarantee that it originates from a client application

POP buffer overflow Occurs when an intruder attempts to gain privileged

access to computers that are running certain versions of a Post Office Protocol (POP) server by overflowing an internal buffer on the server

Topic Objective

To describe the types of

attacks that ISA Server can

detect at the application

level

Lead-in

At the application level,

ISA Server can detect the

following attacks

Delivery Tip

Point out that all attacks at

the application level attempt

intrusion by using the

vulnerability of a specific

application, such as a DNS

service or a POP server

service

Do not explain each attack

in detail, but use one or two

of them as examples

Configuring Intrusion Detection

IP Packet Filters Properties

Detect after attacks on 10 well-known ports Detect after attacks on 20 ports

To receive alerts about intrusion attacks, see the properties for specific alerts in the Alerts folder.

Intrusion detection functionality based on technology from Internet Security Systems, Inc., Atlanta, GA, USA, www.iss.net

Apply

Select Attacks

Select the options that are required to implement your monitoring strategy.

When you configure intrusion detection, ISA Server identifies when an attack is attempted against your network and then performs a set of preconfigured actions To detect unwanted intruders, ISA Server compares network traffic and log entries to well-known attack methods Possible actions that you can

configure include connection termination, service termination, e-mail alerts, and logging

Although ISA Server generates events whenever a selected intrusion attack occurs, ISA Server generates alerts only if you specifically configure ISA Server to do so

Configuring IP Intrusion Detection

To configure IP intrusion detection:

1 In ISA Management, in the console tree, expand your server or array,

expand Access Policy, right-click IP Packet Filters, and then click

To describe the procedures

that you use to configure

against your network and

then performs a set of

preconfigured actions

Key Point

Although ISA Server

generates events whenever

a selected intrusion attack

occurs, ISA Server

generates alerts only if you

specifically configure

ISA Server to do so Important

4 If you select the Port scan check box, perform the following actions, and then click OK:

• In the Detect after attacks on … well-known ports box, type the

maximum number of well-known ports that can be scanned before generating an event Well-known ports are UDP and TCP ports in the range 0–2048 Intruders frequently scan well-known ports because most services listen for connections on these ports An intruder is most likely

to find vulnerable ports by scanning well-known ports

• In the Detect after attacks on … ports box, type the total number of

ports that can be scanned before generating an alert

Configuring the DNS Intrusion Detection Filter

The DNS intrusion detection filter intercepts and analyzes DNS traffic destined for the internal network

To configure the DNS intrusion detection filter:

1 In ISA Management, in the console tree, expand your server or array,

expand Extensions, and then click Application Filters

2 In the details pane, right-click DNS intrusion detection filter, and then click Properties

3 On the Attacks tab, select the options that are required to implement your monitoring strategy, and then click OK

Configuring the POP Intrusion Detection Filter

The POP intrusion detection filter detects attempts to perform POP buffer overflow attacks

To configure the POP intrusion detection filter:

1 In ISA Management, in the console tree, expand your server or array,

expand Extensions, and then click Application Filters

2 In the details pane, right-click POP intrusion detection filter, and then click Properties

3 On the General tab, select the Enable this filter check box, and then click

OK

ISA Server Events

ISA Management

Action View

Internet Security and Acceleration Server Servers and Arrays LONDON Monitoring Computer Access Policy Site and Content Rules Protocol Rules

IP Packet Filters Publishing Bandwidth Rules Policy Elements Cache Configuration Monitoring Configuration Alerts Logs Report Jobs Extensions Application Filters Web Filters Network Configuration Client Configuration H.323 Gatekeepers

Alert action failure The action associated with this alert fa… PHOENIX Alert action failure Cache container initialization error The cache container initialization faile… PHOENIX Cache container initialization Cache container recovery complete Recovery of a single cache container… PHOENIX Cache container recovery…

Cache file resize failure The operation to reduce the size of the… PHOENIX Cache file resize failure Cache initialization failure The Web cache proxy was disabled to… PHOENIX Cache initialization failure Cache restoration completed The cache content restoration was co… PHOENIX Cache restoration completed

Cached object discarded During cache recovery, an object with… PHOENIX Cache object discarded Component load failure Failed to load an extension component… PHOENIX Component load failure

Dial-on-demand failure Failed to create a dial-on-demand con… PHOENIX Dial-on-demand failure

Firewall communication failure There is a failure in communication bet… PHOENIX Client/server communica

Intrusion detected An intrusion was attempted by an exte… PHOENIX Intrusion detected

Invalid dial-on-demand credentials Dial-on-demand credentials are invalid PHOENIX Invalid dial-on-demand cr

Invalid ODBC log credentials The specified user name or password… PHOENIX Invalid ODBC log credent…

IP Protocol violation A packet with invalid IP options was d… PHOENIX IP Protocol violation

Missing installation component A component that was configured for t… PHOENIX Missing installation comp…

Network configuration changed A network configuration change that a… PHOENIX Network configuration ch…

OS component conflict There is a conflict with one of the oper… PHOENIX Operating system comp…

Report Summary Generation Failure An error occurred while generating a r… PHOENIX Report Summary Ganer…

Intrusion detected Properties

Events are conditions that ISA Server can detect during its operation, such as an

intrusion attempt, a problem with a service running on an ISA Server computer,

or a communication failure You use events when you configure an alert An

alert defines the actions that ISA Server performs when it detects an event

When you create an alert, you must specify an event that triggers the alert The following table lists some of the events that ISA Server can detect

Event Description

overflow, zone high port, or zone transfer attack has occurred

Intrusion detected Indicates that an external user attempted an

intrusion attack

IP packet dropped Indicates that an IP packet that is not allowed by

an access policy was dropped

IP protocol violation Indicates that ISA Server detected and dropped a

packet with invalid IP options

valid

SOCKS request was refused Indicates that ISA Server refused a SOCKS

request due to a policy violation

Windows Media Technology (WMT) live stream splitting failure

Indicates that the streaming application filter encountered an error during the WMT live stream splitting

For a full list of the events that are recognized by ISA Server, see

“ISA Server events” in ISA Server Help

Topic Objective

To describe some of the

events that you use to

configure alerts

Lead-in

When you create an alert,

you must specify the event

that triggers the alert

Delivery Tip

Do not cover all of the

ISA Server events in detail

Instead, point students to

the reference in the Note at

the bottom of the page

Note

Actions

Program

SMTP server: europe.london.msft To: administrator@nwtraders.msft Cc:

Run this program:

Use this account:

Report to Windows 2000 event log Stop selected services Start selected services

Intrusion detected Properties

General

OK Cancel

Events Actions

Actions will be executed when the selected conditions occur:

Description An intrusion was attempted by an external

Additional condition: Any intrusion

Apply

Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Recurring actions are performed:

Immediately After manual reset of alert

If time since last execution is more than minutes

ISA Administrator

The alert service of ISA Server monitors events and then performs an action if a specific event occurs You can configure an alert to send an e-mail notification, run a program, or start and stop a service For example, you can configure ISA Server to send you an e-mail message when a specified number of intrusion attempts have occurred

In addition, you can use scripts to configure advanced actions for ISA Server For example, you can create a program that scans the logs for the

IP address of an intruder and then creates a protocol filter that blocks connections from the intruder’s IP address You can then run the program whenever ISA Server generates an alert that is based on an intrusion attempt

Creating Alerts

To create an alert:

1 In ISA Management, in the console tree, expand your server or array,

expand Monitoring Configuration, right-click Alerts, point to New, and then click Alert

2 In the New Alert Wizard, type the name of the alert, and then click Next

3 On the Events and Conditions page, select the event that will trigger the

alert If the event allows you to specify additional conditions, select those

conditions, and then click Next

Topic Objective

To describe the procedure

that you use to configure

alerts

Lead-in

The alert service of

ISA Server monitors events

and then performs an action

if a specific event occurs

Note

4 On the Actions page, select from the following actions, click Next, and then click Finish:

Send an e-mail message Provide the name or the IP address of the Simple

Mail Transfer Protocol (SMTP) server, a recipient,

a return address, and any recipients to include on the Cc: list Ensure that no packet filters prevent the ISA Server computer from communicating with the SMTP server by using TCP port 25

ISA Server will run If you run the program in the security context of a user account other than the local system account, provide the user name and password for that account

Report the event to a Microsoft Windows® 2000 event log

No further action is required

Stop selected ISA Server services

Select the service or services to stop Valid choices are the Firewall service, the Microsoft Web Proxy service, and the Microsoft Scheduled Cache Content Download service

Start selected ISA Server services

Select the service or services to start

Viewing and Resetting Alerts

When an alert occurs, ISA Server performs the alert action and then records the alert in the Event log You can view all of the alerts that ISA Server issued and the time that ISA Server issued the alert After you view the alert, you can reset

it Resetting an alert removes it from the list of recent events If you configured the alert to perform an action only after a manual reset of the alert, you must reset the alert before ISA Server will issue the same alert again

To view and reset an alert:

1 In ISA Management, in the console tree, under Monitoring, click Alerts

2 In the details pane, view the alerts that have occurred

3 To reset an alert, right-click the alert, and then click Reset

Configuring Advanced Alert Properties

Intrusion detected Properties

General

Cancel

Events Actions

Actions will be executed when the selected conditions occur:

Description An intrusion was attempted by an external

Additional condition: Any intrusion

Number of occurrences before the alert is issued: 1 Number of events per second before the alert is issued: 0 Recurring actions are performed:

Immediately After manual reset of alert

If time since last execution is more than minutes

Choose options to customize alert action for the event

Apply OK

After you create an alert, you can configure the alert properties For example, you can configure ISA Server to alert you by using e-mail messages only when there are a specified number of intrusion attempts

A large number of alert actions may cause you to overlook important events, such as an important event log entry that appears among many duplicate entries that are less important

To configure advanced alert properties:

1 In ISA Management, in the console tree, expand Monitoring

Configuration, and then click Alerts

2 In the details pane, right-click the alert, and then click Properties

3 On the Events tab, choose one or more of the following options to customize the alert action for an event, and then click OK:

Specify the number of occurrences before an alert is issued

Select the Number of occurrences before the

alert is issued check box, and then type the

number of occurrences

Specify the number of events per second to occur before an alert is issued

Select the Number of events per second before

the alert is issued check box, and type the number

of events per second

Reissue an alert immediately

if an event recurs

Click Immediately Selecting this option can result

in a large number of alert actions because ISA Server performs the alert action each time that

it detects a specific event

Topic Objective

To describe the procedure

that you use to configure

advanced alert properties

Lead-in

After you create an alert,

you can configure the alert

properties

Important

(continued)

Reissue an alert only after the alert is reset

Click After manual reset of alert Selecting this

option results in a single alert action even when there are multiple events

Reissue an alert after a specified amount of time

Click If time since last execution is more than

number minutes, and then type the number of

minutes Selecting this option results in multiple event actions only when the events occur a specified number of minutes apart

Monitoring ISA Server Activity

Configuring Logging

Logging Packet Filter Activity

You can monitor ISA Server activity by configuring logging ISA Server logs incoming and outgoing requests and how ISA Server responded to these requests When you configure logging, ISA Server generates logs for each server in the array ISA Server includes logs for access and for security activity You can configure ISA Server to generate logs in several data formats and then analyze the logs for usage, performance, and security monitoring

Topic Objective

To identify the topics related

to monitoring ISA Server

Configuring Logging

Firewall service Properties

Log

OK Cancel Fields

Apply

Log storage format:

File Format: W3C extended log file format Create a new file: Daily

Name: FWSEXTDyyyymmdd.log Options…

Database ODBC data source (DSN): db1

Table name: Table1

Use this account:

Set Account…

Enable logging for this service

Click File to save logs

to a file by using the W3C format or ISA format.

Click Database to

save logs to an ODBC database

When you configure logging, ISA Server creates log files on every ISA Server computer in the array ISA Server can produce the following log files:

Packet filter logs Record attempts to pass packets through the ISA Server

W3C format Use this format for compatibility with the reporting

applications that recognize the World Wide Web Consortium (W3C) format The W3C format contains data and information that describes the version, date, and logged fields ISA Server does not log the unselected fields This format uses the tab character as a delimiter, and the date and time fields are in Greenwich Mean Time

ISA format Use this format when you use a reporting application that can

interpret ISA Server logs The ISA format contains only data with no information about the data format ISA Server always logs all of the fields ISA Server logs the unselected fields as dashes to indicate that they are empty This format uses the comma character as a delimiter, and the date and time fields are in local time

ODBC database Use this format to save the logs to an Open Database

Connectivity (ODBC) database

Topic Objective

To describe the procedure

that you use to configure

logging

Lead-in

When you configure logging,

ISA Server creates log files

on every ISA Server

computer in the array

Delivery Tip

Explain that logging to a

database can centralize

ISA Server logs and secure

the data in the logs by

moving the data from the

ISA Server computer to a

database on a different

computer

The ISA Server compact disc includes sample scripts that you can use to create your own log database These scripts are located in the \ISA folder For more information about logging to a database, see “Logging to a database” in ISA Server Help

Configuring Logs

To configure log settings:

1 In ISA Management, in the console tree, click Logs

2 In the details pane, right-click Packet filters, Firewall service, or Web

Proxy Service, and then click Properties

3 On the Log tab, specify how to save the logs, and then ensure that the

Enable logging for this service check box is selected:

Save to a file Click File, and then select a log format In the Create new

file list, select a time period that specifies how often to

create a new log file, and then click Options to specify

where to store the logs and to limit the number of log files that you save

Save to a database Click Database, and then confirm or modify the following

parameters:

4 On the Fields tab, select the fields that you want ISA Server to include in the logs, and then click OK

For more information about the fields, see “Firewall and Web Proxy log fields” and “Packet Filter log fields” in ISA Server Help

Note

Note

Logging Packet Filter Activity

Mode: Block packet transmission between specified IP

addresses, ports, and protocols

Clear to prevent logging blocked packets

Remote Computer

Description (optional):

Log any packets matching this filter Enable this filter

IP Packet Filters Properties

PPTP

Use this page to configure packet filter properties.

Enable filtering of IP fragments Enable filtering IP options Log packets from ‘Allow’ filters

You can log all of the packets that pass through ISA Server to the packet filter log By default, ISA Server logs only dropped packets To reduce server load, you can configure ISA Server to disable logging for packets that are dropped because they are blocked by an IP packet filter Disable logging for dropped packets only if your security policy does not require this information You can also configure ISA Server to log the allowed packets ISA Server can only log the blocked or allowed packets if packet filtering is enabled

Logging both allowed packets and blocked packets can cause a considerable load on the server Enable logging for allowed packets for diagnostic purposes only

Preventing Logging of Blocked Packets

To prevent logging of packets that are blocked by a specific filter:

1 In ISA Management, in the console tree, expand Access Policy, and then click IP Packet Filters

2 In the details pane, click a packet filter that blocks access, and then click

Configure a Packet Filter

3 On the General tab, click to clear the Log any packets matching this filter check box, and then click OK

Topic Objective

To describe the procedures

related to logging packet

filter activity

Lead-in

You can log all of the

packets that pass through

ISA Server to the packet

filter log

Key Point

Logging both allowed

packets and blocked

packets can cause a

considerable load on the

server Enable logging for

allowed packets for

diagnostic purposes only

Important