If an attack occurs on the firewall, log entries may increase drastically. If logging fails, the log failure alert is issued, and this alert stops the Microsoft Firewall service. When this occurs Forefront TMG enters lockdown mode. Similarly, if writing to the log takes more than thirty seconds, logging may fail and cause lockdown mode. In lockdown mode the following occurs:
- Firewall policy is applied by the Firewall
Packet Filter Engine (fweng).
- Outgoing traffic from the Local Host network
to all networks is allowed.
- No incoming traffic is allowed, unless
allowed specifically by an enabled system policy rule. The only
exception is DHCP traffic which is always allowed from the Local
Host network to all networks (DHCP requests are allowed on UDP port
47 and DHCP relies on UDP port 68).
- VPN remote access clients cannot access
- Configuration changes made in lockdown mode
are only applied after the Firewall service restarts and Forefront
TMG exits lockdown mode.
To configure logging to avoid lockdown
To configure Forefront TMG to continue logging in these circumstances, despite a large number of events that may be logged, follow these guidelines:
- Use Disk Defragmenter to consolidate
fragmented files and folders. To avoid long commits, you should
frequently defragment the disks on which log files are stored. To
do this, click Start, point to All Programs, point to
Accessories, point to System Tools, and then click
- Review how you have configured logging for
each policy rule, to create sufficient yet precise log data.
Specifically, you might want to disable logging for the Default
Rule. Then create another deny rule with logging enabled to track
unwanted traffic. Similarly, you may want to disable logging for
rules that apply to NetBIOS and DHCP, depending on your
- Configure the Firewall log and the Web proxy
log folders on different disks.
- Restrict the number of fields included in the
- If you are using SQL logging, modify the file
growth size or file growth percentage for the logs database. For
more information, see ALTER DATABASE at the SQL Server Developer Center.
- If Forefront TMG cannot log activity, the log
failure alert is issued, and by default the Microsoft Firewall
service is stopped. Consider reconfiguring this alert to send an
e-mail message to an administrator's e-mail address, especially
when you want to provide maximum serviceability.
- Logging may attract attacks because it uses a
large amount of I/O and CPU resources. Use the network protection
flood mitigation feature to specify that denied traffic will not be
logged if a "denied requests per second" limit is reached. For more
information, see Setting flood mitigation
- Forefront TMG introduces the log queue
feature, which helps avoid logging failures when logs records are
generated faster than they can be processed. For more information,
the log queue.
- When logging to a text file, a log record is
limited to 1600 characters. This limit cannot be modified, and
includes data and other information such as a time stamp. This may
be an issue when the referring server information in an HTTP
request is long. To avoid this issue, configure the logs not to log
the Referring Server field. For instructions, see Selecting log
ConceptsConfiguring Forefront TMG logs
Copyright © 2009 by Microsoft Corporation. All rights reserved.