Home > Forefront TMG 2010, Logging and Reporting, Performance, Threat Management Gateway > Disable Logging on System Policy Rules in Forefront TMG 2010

Disable Logging on System Policy Rules in Forefront TMG 2010

July 5, 2012

I’ve written a number of articles on improving system performance and logging optimization over the years. As I’ve mentioned previously, this involves the security administrator reviewing each access rule and deciding if the traffic is interesting enough to require logging. If it is not, to improve performance and reduce log pollution it is advisable to disable logging for the access rule in question.

However, when attempting to make this change to a system policy rule you will encounter the following error:

The changes cannot be saved.

Error: 0xc0040334

This property cannot be modified for the predefined item.

The error occurred on object <policy rule name> of class
‘Policy Rule’ in the scope of array .

Unfortunately the system policy editor provides no facility to make this change in the GUI. To work around this limitation you can use COM to disable logging on system policy rules programmatically using the following script. In this example I’ve chosen to disable logging on the Allow intra-array communication system policy rule.

Option Explicit

Dim Root, Array, Rule

Set Root = CreateObject("FPC.Root")

Set Array = Root.GetContainingArray()
Set Rule = Array.SystemPolicy.PolicyRules.Item("Allow intra-array communication")

Rule.EnableLogging = False

WScript.Echo “Done!”

Set Rule = Nothing
Set Array = Nothing
Set Root = Nothing

Note: To see this change reflected in the management console, hit F5 to refresh or close and reopen the console.

If you wish to disable logging for all system policy rules, alter the script to use a For Each Next construct as follows:

Set Rules = Array.SystemPolicy.PolicyRules

For Each Rule in Rules
Rule.EnableLogging = False