Recently I posted an article on ISAserver.org on using Forefront Threat Management Gateway (TMG) 2010 to monitor and optionally block network access based on the country/geography of the source or destination IP address. There are certainly some compelling reasons to consider blocking countries, as bad actors are often associated with specific regions of the world. Depending on your organization’s business and appetite for risk, monitoring and blocking traffic from certain countries may be interesting, or it might just be essential to protecting your intellectual property.
In the original article I demonstrated how to create firewall policy to identify traffic based on geography. In addition I showed how to view this activity using the native Forefront TMG 2010 monitoring tools. The challenge to using this method, however, is that it requires the administrator to be watching the logs in real time using TMG’s live logging feature. It also suffers from the flaw that you can’t create alerts when network traffic matches a specific access rule, nor can you generate a report for this access either. Thankfully we can address these shortcomings using TMG Reporter from Fastvue.
Reporting on Country Access
Generating a report to identify traffic processed by a specific access rule is quite simple. In the TMG Reporter management console click Reports and choose Activity Report. For the Field select Rule and for the Operator choose Contains and enter any unique text that will identify your access rule for this traffic. On my TMG firewall the rule is called China [MONITOR].
Enter the appropriate date range for your needs and click Run Report to view any traffic that was handled by this access rule. If you’ve identified workstations that have access resources using this rule, it might be a good idea to inspect those systems closely for viruses or malicious software. : )
Alerting on Country Access
And so you don’t have to spend all day staring at the Forefront TMG live log like Cypher looking at the Matrix, you can configure TMG reporter to proactively alert you when network traffic is processed by a geography-based access rule. To do this, click Alerts and then Configure Alerts. Choose Add Alert, enter a descriptive name, and then click Add and Configure Alert.
Once again specify Rule for the Field and Contains for the Operator and enter any unique text that will identify your access rule for this traffic.
From here you have a high degree of granularity with which to define for this alert. For example, you can configure the alert to trigger based upon time delta or frequency of occurrence. You can define what information you want to see in the alert, and you can configure the alert notification to be sent via e-mail as well.
As you can see, Fastvue TMG Reporter is a much more elegant reporting and alerting tool, offering additional features and much more granular activity monitoring than the native TMG tools provide. If you want the ultimate visibility in to your Forefront TMG firewall’s activity, download Fastvue TMG Reporter today!