Useful Scripts to Disable Logging for System Policy Rules in Forefront TMG 2010

There are a few reasons you might want to disable logging on a specific system policy rule. Mainly this is to reduce the amount of logged information speeding up not only importing of logs but also the analysis and reporting on those logs.

You might also want to eliminate all system activity and log only pure user interactions.

A single connectivity verifier running 24x7 will generate the best part of 25 000 records per day. If you have multiple sites configured, these hits are multiplied.

System Policy Rules can therefore create a large number of log records, bloat log file size and slow reporting speeds. Keep in mind that it is all relative.

It is not possible to disable logging for system rules through the Forefront TMG Management Console GUI. If you have ever tried you would have received the following error:

The changes cannot be saved. Error: 0xc0040334 This property cannot be modified for the predefined item. The error occurred on object  “the policy name” of class ‘Policy Rule’ in the scope of array .

You can however use a script to disable logging on system policy rules.  (Thanks Richard Hicks)

Scripts

The following scripts can all be run from the Enterprise Management Server (see Richard Hicks' article for scripts you can run directly on the arrays).

Substitute the values indicated in GREEN

List the arrays

This is a handy starter script since you would normally want to specify an array for making changes. This script will return the names of the arrays you need to use

Set root = CreateObject("FPC.Root") dim array For Each Array in Root.Arrays wscript.echo array Next

List the system rules

There are many system rules (about 60) and to turn off logging individually you need to reference them by name.  Some of the names are very long. To see a list of the rules use the following script. In this case substitute the array name for one of the names enumerated earlier.  Leave the quotation marks in place

Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere**") set Rules = Array.SystemPolicy.PolicyRules For Each Rule in Rules wscript.echo rule Next

Selectively turn off logging

Use the above script to retrieve all the rules. Once you have the list or rules names you can individually disable logging for that rule with the following script.

Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere** ") set Rules = Array.SystemPolicy.PolicyRules RuleName = "**Really long system policy rule name**"

Set Rule = Array.SystemPolicy.PolicyRules.Item(RuleName) Rule.EnableLogging = False Rule.Save

wscript.echo  RuleName & "  Logging disabled"

Turn all system policy logging off or on

It is also possible to disable logging for all system policy rules with the following script. This script is handy to keep around to be able to turn logging back on again for all the system policy rules. To do this you would set Rule.EnableLogging = True

Set root = CreateObject("FPC.Root") Set Array = root.Arrays.Item("**EnterYourArrayNameHere**") set Rules = Array.SystemPolicy.PolicyRules For Each Rule in Rules Rule.EnableLogging = **False** Next

Once the logging has been disabled you can verify this by checking the system policy rules from the management console. Close and reopen the console to confirm this, or press F5 and check the rule again.

A point to notice is that even if logging is disabled you might still see additional hits for that traffic appearing on the TMG Reporter dashboard. This would be until all sessions are ended and the backlog of records are processed. Existing records already imported into TMG Reporter will not be removed.

Deciding Which Rules to disable

Take the conservative approach for turning off logging. If traffic is not logged it does not mean it does not happen, it just means that it is not logged for analysis or reporting. Effectively you lose visibility of that associated rule’s traffic. This is also a good reason to keep the script handy for turning logging back on again for all the system rules.

I have turned off logging on the following rules:

• Allow all HTTP traffic from Forefront TMG to all networks (for CRL downloads)
• Allow HTTP/HTTPS requests from Forefront TMG to selected servers for connectivity verifiers
• Allow DNS from Forefront TMG to selected servers

Managing access rules

You might also occasionally want to enable or disable logging on normal access rules. This can of course easily be done via the GUI but it is also possible to do it via a script. This is handy if want to update a whole bunch of rules without manually changing each one. You can also even go as far as creating a scheduled task to toggle logging on or off for a rule if you really want to.

The scripts for normal access rules are essentially the same.  The difference is that instead of specifying

set Rules = Array.SystemPolicy.PolicyRules

You simply specify the following:

set Rules = Array.**Array**Policy.PolicyRules

Starting off with scripts

If you are new to scripting and you are not sure how this all fits together, don’t worry it is relatively easy.

1. Copy the relevant script segment above and paste them in to a notepad text file.
2. Save the file as scriptname.vbs
3. Open command prompt window and execute the script as follows
4. cscript scriptname.vbs

For more information about scripting TMG and some additional sample scripts see: https://msdn.microsoft.com/en-us/library/ff827426(v=vs.85)

This article by Richard Hicks also has great information on how to disable system policy rules with some useful screenshots too. It also contains the scripts for running directly on the arrays without having to run the script from the Enterprise Management Server (EMS): Disable logging on system policy rules in Forefront TMG 2010