Best practices for Firewall Logging


We’re splitting things up into very granular zones and only allowing specific traffic per service, there is no allow-all rules, the only allowed traffic by granular rules. This creates rather large firewall configurations so I wrote a python script to create the rules from some short hand I use when designing firewalls. It turns about 200 lines of shorthand into about 4600 lines of firewall commands (with a bunch of error checking), but more about that on another post…

Logging defaults to on and when I do simple speed tests on the firewall Systemjournald takes up most of the CPU time. Disabling firewall logging frees up about 70% of the otherwise consumed CPU time.

To conserve resources (CPU, syslog server and all downstream analysis) I was thinking about disabling logging for the establised/related and invalid packets. I already disable logging of packets from the LOCAL zone to the syslog server (log the logger, it’s just not practical! ).

Is this an acceptable standard for logging almost everything relevant or would missing the established/related and invalid data cause problems if analysis for something like a breach occurred?

Thank you,


Logging on estab/related is bulky. As you already discovered.
Not logging estab/related will still log all sessions started.
Is there a way to do conntrack logging, so you have end-time for sessions?

Are you suggesting that I use conntrack logs instead of firewall logs altogether? I haven’t thought of that, or maybe I misunderstand.

I did end up disabling logging on establised/related/invalid firewall rules, when running iperf3 tests at gigabit speeds it changed the Cpu id from the 20s to the 80s; disabling the firewall logging completely still kept me in the 80s. Hopefully not logging the estab/rel/inv packets in the firewall is okay security practice.

Logging the established/related is indeed not best practice.
The Configuration Blueprint in the Docs say:

It is important to note, that you do not want to add logging to the established state rule as you will be logging both the inbound and outbound packets for each session instead of just the initiation of the session. Your logs will be massive in a very short period of time.

I don’t have any experience in zone-based firewall in complex environments (at most WAN, LOCAL, LAN, GUEST, LAB or something like that) but I would still want to log accepted and denied traffic, at least for troubleshooting purposes and to have insight in what passes your firewall.