Journaling and auditing packet rules actions by packet rules
Your packet rules include a journaling feature. Journaling enables you to troubleshoot NAT and filtering problems.
You can use the journal to create a log of rule actions that occurred for each packet rule. This enables you to debug and spot check your rules. You can also audit the traffic that flows in and out of your system by reviewing these system logs or journals.
The journaling feature is used on a per-rule basis. When you create a NAT or filter rule, you have the following journaling options: full or off. See the following table for more detail.
| Option | Definition |
|---|---|
| FULL | Every packet that is translated is logged. |
| OFF | No journaling occurs. |
If journaling is turned on, a journal entry is generated for each rule applied to a datagram (NAT or filter). The only rules for which a journal entry is not created are the default deny rules. They are never journaled because they are created by the system.
By using these journals, you create a general file on the system. You can then use the information recorded in your system's journals to determine how your system is being used. This can help you decide to change various aspects of your security plan.
If you set the journaling feature to OFF, your system will not create a journal entry for that rule. Although you can choose to do this, it might not be your best option. If you are not experienced in creating filter and NAT rules, you might want to use FULL (logging) as necessary. You can then use the logs as troubleshooting tools. However, be selective in what you choose to journal. Journaling is a heavy burden on your system's resources. Try to focus on the rules that control the heavy traffic.
To view these journals, do the following step:
- From a command line, enter DSPJRN JRN(QIPNAT) for NAT journals or DSPJRN JRN(QIPFILTER) for IP filter journals.