If an attack occurs on the firewall, log entries may increase drastically. If logging fails, the log failure alert is issued, and this alert stops the Microsoft Firewall service. When this occurs Forefront TMG enters lockdown mode. Similarly, if writing to the log takes more than thirty seconds, logging may fail and cause lockdown mode. In lockdown mode the following occurs:

To configure logging to avoid lockdown

To configure Forefront TMG to continue logging in these circumstances, despite a large number of events that may be logged, follow these guidelines:

  • Use Disk Defragmenter to consolidate fragmented files and folders. To avoid long commits, you should frequently defragment the disks on which log files are stored. To do this, click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Defragmenter.

  • Review how you have configured logging for each policy rule, to create sufficient yet precise log data. Specifically, you might want to disable logging for the Default Rule. Then create another deny rule with logging enabled to track unwanted traffic. Similarly, you may want to disable logging for rules that apply to NetBIOS and DHCP, depending on your organizational needs.

  • Configure the Firewall log and the Web proxy log folders on different disks.

  • Restrict the number of fields included in the log.

  • If you are using SQL logging, modify the file growth size or file growth percentage for the logs database. For more information, see ALTER DATABASE at the SQL Server Developer Center.

  • If Forefront TMG cannot log activity, the log failure alert is issued, and by default the Microsoft Firewall service is stopped. Consider reconfiguring this alert to send an e-mail message to an administrator's e-mail address, especially when you want to provide maximum serviceability.

  • Logging may attract attacks because it uses a large amount of I/O and CPU resources. Use the network protection flood mitigation feature to specify that denied traffic will not be logged if a "denied requests per second" limit is reached. For more information, see Setting flood mitigation connection limits.

  • Forefront TMG introduces the log queue feature, which helps avoid logging failures when logs records are generated faster than they can be processed. For more information, see Configuring the log queue.

  • When logging to a text file, a log record is limited to 1600 characters. This limit cannot be modified, and includes data and other information such as a time stamp. This may be an issue when the referring server information in an HTTP request is long. To avoid this issue, configure the logs not to log the Referring Server field. For instructions, see Selecting log fields.

Related Topics

Copyright © 2009 by Microsoft Corporation. All rights reserved.