Configuring logging to avoid lockdown
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
If an attack occurs on the firewall, log entries may increase drastically. If logging fails, the log failure alert is issued, and this alert stops the Microsoft Firewall service. When this occurs Forefront TMG enters lockdown mode. Similarly, if writing to the log takes more than thirty seconds, logging may fail and cause lockdown mode. In lockdown mode the following occurs:
Firewall policy is applied by the Firewall Packet Filter Engine (fweng).
Outgoing traffic from the Local Host network to all networks is allowed.
No incoming traffic is allowed, unless allowed specifically by an enabled system policy rule. The only exception is DHCP traffic which is always allowed from the Local Host network to all networks (DHCP requests are allowed on UDP port 47 and DHCP relies on UDP port 68).
VPN remote access clients cannot access Forefront TMG.
Configuration changes made in lockdown mode are only applied after the Firewall service restarts and Forefront TMG exits lockdown mode.
To configure logging to avoid lockdown
To configure Forefront TMG to continue logging in these circumstances, despite a large number of events that may be logged, follow these guidelines:
Use Disk Defragmenter to consolidate fragmented files and folders. To avoid long commits, you should frequently defragment the disks on which log files are stored. To do this, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.
Review how you have configured logging for each policy rule, to create sufficient yet precise log data. Specifically, you might want to disable logging for the Default Rule. Then create another deny rule with logging enabled to track unwanted traffic. Similarly, you may want to disable logging for rules that apply to NetBIOS and DHCP, depending on your organizational needs.
Configure the Firewall log and the Web proxy log folders on different disks.
Restrict the number of fields included in the log.
If you are using SQL logging, modify the file growth size or file growth percentage for the logs database. For more information, see ALTER DATABASE at the SQL Server Developer Center.
If Forefront TMG cannot log activity, the log failure alert is issued, and by default the Microsoft Firewall service is stopped. Consider reconfiguring this alert to send an e-mail message to an administrator's e-mail address, especially when you want to provide maximum serviceability.
Logging may attract attacks because it uses a large amount of I/O and CPU resources. Use the network protection flood mitigation feature to specify that denied traffic will not be logged if a "denied requests per second" limit is reached. For more information, see Setting flood mitigation connection limits. https://technet.microsoft.com/en-us/library/cc441677(v=technet.10)
Forefront TMG introduces the log queue feature, which helps avoid logging failures when logs records are generated faster than they can be processed. For more information, see Configuring the log queue.
When logging to a text file, a log record is limited to 1600 characters. This limit cannot be modified, and includes data and other information such as a time stamp. This may be an issue when the referring server information in an HTTP request is long. To avoid this issue, configure the logs not to log the Referring Server field. For instructions, see Selecting log fields.