We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Audit and Reporting

  • Last updated on

The firewall audit service allows propagating firewall events to the Control Center for collection and analysis.

Configure Audit and Reporting

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration
  2. In the left menu, select Audit and Reporting.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
  5. To enable the firewall dashboard, set Generate Dashboard Information to yes.
  6. To enable the firewall monitor, set Generate Monitor Information to yes.
  7. Configure the following settings:
    • Statistics for Host Firewall – Enable if you want to create statistics for the Host Firewall.
    • Generate Protocol Statistics – Enable to create protocol- and P2P-specific statistics. These statistic can be seen using the event viewer under .../server/BOX/proto–stat/.
    • Use username if available – Enable if usernames should be used for statistics instead of IP addresses.
    • Generate Events – Enable eventing configuration.
    • Event Data – Click Edit/Show to enable or disable specific events.
    • Application Control Logging – Select which Application Control data should be logged.
    • Log Level  Select the log level. Cumulative logging allows some reduction of log file lengths and tries to avoid indirect denial of service (DoS) attacks.
    • Cumulative Interval [s] – Interval in seconds for which cumulative logging is activated for either matching or similar log entries. To enter cumulative logging, the entries need to be identical in all of the identifiers of a log entry except the source port (min: 1; max: 60; default: 1).
    • Cumulative Maximum – Maximum number of log entries within the same rule and which results in cumulative logging to be triggered (default: 10).
    • Generate Audit Log – Enables Firewall Audit.
    • Audit Log Data:
      • Click Edit to configure Firewall Audit settings.
    • Enable IPFIX/Netflow – Internet Protocol Flow Information Export (IPFIX, RFC 3917) is based on NetFlow version 9. You can use this to stream the Firewall Audit logs via IPFIX:
      • Click Edit to configure the IPFIX/Netflow settings.
      • Click Edit to configure the Connection Tracing settings. 
  8.  Click Send Changes and Activate.

Activation

To activate changes made to the audit and reporting configuration, you must perform a firmware restart.

  1. Go to the CONTROL > Box.
  2. Expand the Operating System section.
  3. Click Firmware Restart.

All active connections will be terminated when performing a firmware restart.

Audit Events

An audit event entry consists of a CR-terminated line of ASCII characters. Each line holds 23 pipe ("|") separated values. 

Example: 1129102500|Block:|FWD|eth0|ICMP|BLOCKALL|10.0.3.80|0|10.0.3.73|0||4002|Block by Rule|0.0.0.0|0|0.0.0.0|0||00:07:e9:09:04:30|0|0|0|0|0|4552264444

The following table provides an explanation for each section of the audit event string:

Column Value Type
1Time

Unix seconds

2Log Operation

Log Operations ( Unknown, Allow, LocalAllow, Block, LocalBlock, Remove, LocalRemove, Drop, Terminate, LocalTerminate, Change, Operation, Startup, Configuration, Rule, State, LocalState, Process, AdminAction, Deny, LocalDeny, SecurityEvent, Sync, Fail, or LocalFail, Detect)

3Session Type 

Session Type (Forwarding, Local In, Local Out, or Loopback)

4Input Network Device String
5IP Protocol String
6Firewall Rule String
7Source IP Address 

IP Address

8Source Port Number 

0–65535

9Destination IP Address 

IP Address

10Destination Port Number 

0-65535

11Service Name String
12Reason Code Number
13Reason String
14Bind IP Address 

IP Address

15Bind Port Number 

0-65535

16Connection IP Address 

IP Address

17Connection Port Number 

0–65535

18Output Network Device 

String

19MAC Address 

6 colon-separated hex bytes

20# of Input Packets 

Number

21# of Output Packets 

Number

22# of Input Bytes 

Number

23# of Output Bytes 

Number

24Duration 

In seconds

25IDAudit entry number
Last updated on