• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 132
  • Last Modified:

clean-up rule netscreen firewall

Hello everyone.
I'm still looking for your precious help on writing a best practice on "hardening netscreen firewalls".
My supervisor is asking to write down about cleanup rules so could you please tell me if the following is correct or how I can Improve it .
Thank you

Firewall administrators implements the cleanup rule in order to log the traffic which is being dropped.
The logs produced by the cleanup rule are normally used to perform troubleshooting activities or can then be fed into event analysis systems like a SIEM to improve visibility into network activity.

A cleanup rule should  be placed at the end of a policy zone to zone
ns-> set policy id 100 name "Clean-up Rule" from "ZONE-A" to "ZONE-B"  "Any" "Any" "ANY" deny log 
ns-> set policy id 100

Open in new window

2 Solutions
Sanga CollinsSystems AdminCommented:
This is the correct rule

ns-> set policy id 100 name "Clean-up Rule" from "GLOBAL" to "GLOBAL"  "Any" "Any" "ANY" deny log
ns-> set policy id 100

Global - global allows you to log all traffic that does not match and existing security policy. It is the first policy I add after trust to untrust
so called "cleanup rules" are rather useless unless
- a huge deal of traffic is NOT logged because nobody cares about robots checking for open smtp, ftp, ssh, or whatever since you basically cannot do anything to prevent random scans and they will produce so much output they will hide useful stuff
- someone actually analyses the logs ( and the previous is mandatory in order to achieve that goal )

most of what is interesting to monitor will be internal traffic because you know precisely what to expect and anything that is not expected need to be dealt with.

this is not specific to netscreen.
CarloAuthor Commented:
Thank you
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now