Logs

Firewall Session Log

For firewall and web filter permit rules with logging enabled, this log captures information on session creation and termination, including the time the session started, and the URL being accessed (for web requests). When a session terminates the Firewall Session Log shows how many bytes were transferred through the session.

A log entry is generated for each of the following events if the firewall rule had logging enabled.

Web Request event: occurs when the X family device permits a web request to pass through.

Session Started event: occurs when a firewall rule is triggered.

Session Close event: occurs when the network connection is ended or closed due to inactivity.

To maintain a complete history of entries and provide a backup, you can configure the X family device to send Firewall Session Log entries to a syslog server from the Syslog Servers page. For details, see the “Syslog Servers” on page 242.

Each log entry is tab-delimited. The log fields are populated based on the type of event being logged. If a field is not used, a tab is inserted to properly position the data in the next field.

A Firewall Session log entry contains the following fields:

Table 5–5: Firewall Session Log Field Descriptions

Column

Description

 

 

 

 

Log ID

A system-assigned Log ID number

 

 

Date/Time

A date and time stamp in the format YYYY-MM-DD HH:MM:SS.

Rule

The ID of the firewall rule triggered.

 

 

Protocol

The name of the protocol associated with the session in the format x(y) where:

 

x=protocol name, y=protocol number

 

 

Src Zone

Name of the source security zone for the firewall rule

 

 

Dst Zone

Name of the destination security zone for the firewall rule.

 

 

SourceIP: Port

The source IP address and port from which the session was started

 

 

DestIP: Port

The destination IP address and port that is the target of the session

 

 

Category

For web requests filtered by the Web Filter Service, this represents the filter

 

category triggered by the URL (examples: Gambling, Entertainment, or

 

Violence)

 

 

URL

For web requests blocked by a web filter firewall rule with logging enabled, this

 

field specifies the target URL. This field is populated regardless of whether the

 

request was filtered by the Web Filter Service.

 

 

Session

For Session End events only, this field contains the duration of the session based

Duration(s)

on the session start time. The duration is displayed in the format:

 

DD:HH:MM:SS.

 

 

X Family LSM User’s Guide V 2.5.1

103