I have an SSG-520M that I'm going to be using to replace a pair of OpenBSD firewalls, and I'm running into some conceptual difficulties as I try to configure it.
My first question is: How do I watch traffic to see what is being dropped? For example, I have a new application and it's not talking to a server in a different zone. I don't know what ports or traffic type it uses, so I need to see what it's trying to send. On my OpenBSD firewall I could use tcpdump on the pflog0 interface to see packets that were being blocked along with the rule that was blocking them; is there an equivalent function on the SSG firewall?
I see that I could log traffic if I used a DENY policy, but since denying traffic is the default I'm primarily setting up PERMIT policies instead, so my problem is that I need to know what type of traffic to permit.