RE: [fw-wiz] Netscreen email logging

From: Philip J. Koenig (pjklist@ekahuna.com)
Date: 09/27/02


From: "Philip J. Koenig" <pjklist@ekahuna.com>
To: Eddy Kalem <ekalem@testmart.com>
Date: Fri Sep 27 20:18:16 2002

On 27 Sep 2002 at 11:03, Eddy Kalem boldly uttered:

> Where's the mail host located? Trusted or Untrusted interfaces?

On the 5XP - trusted, on the 25 - untrusted. Right now I'm in
testing mode with the 25, I have it in a test network prior to
installation in the live network.

The only idiosyncracy in the test network is that since I'm using the
same routable IPs as the box will use "in real life", they are not
routable to the internet (my ISP isn't routing someone else's IPs to
me) so I can't send traffic to the "world at large". However I have
this running through a Cisco which is connected directly to and has a
static route to the subnet which holds the SMTP server. Connectivity
to that subnet is fine, I can send traffic both ways normally. (for
the moment the SMTP server's subnet thinks the route to the
Netscreen's subnet is through my internal Cisco, instead of my
external gateway)

> Have you checked your logs as to a possible reason why it's not working?

If you're referring to "get log event" or "get log self" or "get
alarm event" etc, then yes I've checked those. No indication it
either tried or failed to send email logs. (I have no idea if it logs
this anyway)

I've also looked at the SMTP server logs and there's no indication
the Netscreen attempted to open an SMTP handshake with it.

 
> I compared your entries to mine and seems you have the appropriate entries.
> My mail server is on my Trusted interface.
>
> Eddy Kalem

Thanks for your suggestions.. I'm still stumped on this.

> -----Original Message-----
> From: Philip J. Koenig [mailto:pjklist@ekahuna.com]
> Sent: Thursday, September 26, 2002 8:07 PM
> To: firewall-wizards@nfr.com
> Subject: [fw-wiz] Netscreen email logging
>
>
> I have tried to get email alerts and logs working with 2 different
> Netscreen boxes (5XP Elite and 25) with no success. Everything else
> pretty much works as expected except this. I have asked Netscreen
> support about it more than once and get the equivalent of a shrug
> from them.
>
> Is there some secret to this I'm missing? Here are the relevant
> entries from the configuration file:
>
> set admin mail alert
> set admin mail traffic-log
> set admin mail server-name <hostname or IP>
> set admin mail mail-addr1 <email address>
>
>
> I've finally gotten used to their idiosyncracy of needing a manual
> route entry for any network that receives or sends to the firewall
> itself, so this isn't the problem.

--
Philip J. Koenig                                       pjklist@ekahuna.com
Electric Kahuna Systems -- Computers & Communications for the New Millenium


Relevant Pages

  • Re: Scan combining internal/external
    ... On the same subnet I have a linux box with a non-recent ... > 1) My ipchains logs showing several of *our* machines from diverse ... > my subnet, source and destination ports tcp/6667, lasting from ...
    (Incidents)
  • Re: SMTP problem: some emails get stuck, smtp says its teh destination pop server
    ... I meant the "QUEUE" folder. ... from the QUEUE folder) with no hitches whatsoever. ... I also have access to the destination SMTP server. ... The Mercury logs show that It never actually receives an email. ...
    (microsoft.public.inetserver.iis)
  • Scan combining internal/external
    ... Snort IDS configuration monitoring the subnet. ... My ipchains logs showing several of *our* machines from diverse ... Snort logs revealing a scan by an external IP of many machines on ... my subnet, source and destination ports tcp/6667, lasting from ...
    (Incidents)
  • Re: Computer on network connected to the Internet
    ... Doug - living inside a social firewall, a retirement village, "God's waiting ... Many, if not most, Linux systems to nightly cron jobs to rotate logs, ... The SMTP server is used on these systems to deliver the log ...
    (comp.os.linux.security)
  • Re: What is WGATmyname.EXE?
    ... there's a log of ICMP pings going on. ... IP Setting Type: Subnet Mask ... This will expressly permit ICMP within your local network. ... Open Trend, General, Event Logs, Personal Firewall, View Logs, and Delete. ...
    (misc.news.internet.discuss)