Logging enabled on deny + critical allow rules
Demonstrate that network security devices log all deny events and log traffic permitted by designated critical allow rules, enabling visibility into blocked threats and high-risk authorized connections.
Description
What this control does
This control ensures that firewall and network security device rules are configured to generate log entries whenever traffic is denied, and for designated critical allow rules (e.g., administrative access, privileged service ports, external database connections). Logging on deny rules captures unauthorized or anomalous connection attempts, while logging on critical allow rules tracks legitimate but high-risk activity. Without this logging, security teams cannot investigate incidents, detect policy violations, or reconstruct attack sequences during forensic analysis.
Control objective
What auditing this proves
Demonstrate that network security devices log all deny events and log traffic permitted by designated critical allow rules, enabling visibility into blocked threats and high-risk authorized connections.
Associated risks
Risks this control addresses
- Attackers conduct reconnaissance or exploit attempts against protected resources without detection due to missing deny logs
- Compromised accounts or insider threats abuse critical allow rules (e.g., SSH to production, database queries) without generating audit trails
- Incident responders cannot reconstruct attack paths or lateral movement due to gaps in network flow logging
- Compliance violations occur when auditors cannot verify enforcement of network segmentation or access controls
- Misconfigurations or overly permissive rules remain undetected because no logs exist to reveal unexpected traffic patterns
- Forensic investigations fail due to insufficient log retention or missing evidence of connection attempts during breach windows
- Security monitoring systems cannot alert on anomalous denied connection spikes or unusual use of privileged pathways
Testing procedure
How an auditor verifies this control
- Obtain current firewall and network security device rulebase exports from all in-scope perimeter, internal segmentation, and cloud security group devices
- Review organizational policy or standard to identify which allow rules are classified as critical (e.g., rules permitting SSH, RDP, database ports, admin console access, inter-VLAN privileged traffic)
- Examine each deny rule in the rulebase to confirm that logging is enabled at the rule level or globally for all deny actions
- Identify all critical allow rules per the organizational definition and verify each has logging enabled in the rule configuration
- Select a representative sample of deny rules spanning different device types and zones, then query log aggregation systems or device logs to confirm deny events are actually being generated and collected
- Select a sample of critical allow rules, trigger test traffic matching those rules (e.g., SSH session to a protected host), and verify corresponding allow log entries appear in the logging infrastructure
- Review log retention settings to confirm deny and critical allow logs are retained for the period required by policy and regulatory obligations
- Validate that logged events include sufficient detail (source IP, destination IP, port, protocol, timestamp, rule ID, action) to support incident investigation
Where this control is tested