Reviewing logs of perimeter firewalls

When considering perimeter firewall policies, it is important how we collect logs of the traffic matching with each rule. A good practice is to collect all the outbound traffic logs that are matched by the last ''Deny All'' policy where all other rules are strictly accepting only the legitimate traffic. If the ''Accept'' policies are configured precisely, we can detect deviations from normal or expected behavior by reviewing logs of dropped outbound traffic. In specific, one may find internal IP addresses and ports that have been dropped, which means that the user was trying to bypass the restriction of the perimeter firewall and connect to an external IP/service.