Configuring D-Link NetDefend UTM Firewalls for ProxyInspector operation and reporting

All articles

If you need to get log files from a D-Link NetDefend UTM Firewall (DFL-260E, DFL-860E, DFL-870, DFL-1660, DFL-2560 or other NetDefend models), you have to use an external SysLog server. It can be some SysLog server for Windows (Kiwi, SysLog Watcher, etc.) or the standard syslogd or rsyslogd for Linux. The general requirements for the SysLog server are its uninterrupted 24/7 operation and ability to access log files at the ProxyInspector end.

Enabling logging for all D-Link NetDefend rules

You need to enable logging for all Firewall rules. You can do it as follows: Policies | Firewalling | Rules | Main IP Rules:

Turn on Logging switch for each rule that allows external traffic:

HTTP protocol

You will need to create a seperate rule for HTTP protocol with http-outbound speficied as service. This will enable full URLs with parameters for HTTP-requests in log messages. Unfortunatelly there is no HTTPS inspection in D-Link NetDefend devices and therefore reporting on HTTPS-requests will be limited.

Enabling the D-Link NetDefend UTM Firewall to send messages to the SysLog server

D-Link NetDefend UTM Firewalls can send data to multiple SysLog servers. To use this feature, open System | Device | Device | Log and Event Receivers, click the Add button, select Syslog Receiver, specify your SysLog server’s IP address, name, and port, and save it. Currently, D-Link NetDefend UTM Firewalls support SysLog over UDP only. It is recommended that you remove the default Memory Log Receiver to minimize the usage of the built-in CompactFlash memory card, which will reduce the probability of its failure.

Configuring ProxyInspector for D-Link NetDefend reporting

You need to specify the log files’ path and mask for ProxyInspector, so that it can access them. Typically, it is a network path to a folder on the SysLog server.

Tags: D-Link, NetDefend, SysLog, ProxyInspector, log file