Chapter 5 Events: Logs, Traffic Streams, Reports

Firewall Block Log

The Firewall Block Log captures information about events that have triggered a firewall rule that blocks matching traffic and has logging enabled.

A log entry is generated for each of the following events.

Block web request event: occurs when the X family device blocks a web request due to web filtering

Block event: occurs when a firewall rule with Block action is triggered.

To maintain a complete history of entries and provide a backup, you can configure the X family device to send Firewall Block Log entries to a remote syslog server from the Notification Contacts page. For details, see “Notification Contacts” on page 52.

Each log entry is tab-delimited. The log fields are populated based on the type of event being logged. If a field is not used, a tab is inserted to properly position the data in the next field.

A Firewall Block log entry contains the following fields:

Table 5–4: Firewall Block Field Descriptions

Column

Description

 

 

 

 

Log ID

A system-assigned Log ID number

 

 

Date/Time

A date and time stamp in the format YYYY-MM-DD HH:MM:SS

Severity

Indicates the severity of the triggered filter. Possible values include: Critical,

 

Major, Minor, and Low

 

 

Firewall Rule

The name of the firewall rule that was triggered. In the LSM, the firewall rule is

 

linked to allow you to edit/view the rule that triggered the event.

 

 

Protocol

The name of the protocol that the action affects

 

 

Source Zone

The security zone where the traffic originated

 

 

Dst Zone

The security zone where traffic was sent

 

 

SourceIP: Port

The source address and port where the triggering traffic originates

Dest

 

 

 

Dest IP: Port

The destination address and port of the triggering traffic

 

 

Category

For web requests blocked by the Web Filter Service, this represents the filter

 

category triggered by the URL (examples: Gambling, Entertainment, or

 

Violence)

 

 

URL

For web requests events only, the target URL. This field is populated regardless of

 

whether the request was filtered by the Web Filter Service

 

 

102X Family LSM User’s Guide V 2.5.1