It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

How to Configure Audit and Reporting

  • Last updated on

The firewall audit service allows propagating firewall audit events to the Control Center for collection and analysis.

How to Configure Audit and Reporting

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > General Firewall Configuration
  2. In the left menu, select Audit and Reporting.
  3. Expand the Configuration Mode menu and select Switch to Advanced View.
  4. Click Lock.
Configure Statistics Policy

In the Statistics Policy section, configure the following settings:
statistics_policy.png

  • Generate Dashboard Information – To enable the firewall dashboard, select yes.
  • Generate Monitor Information – To enable the firewall monitor, select yes.
  • Maximum Storage Size – Enter the amount of megabytes [MB] for the maximum size of the storage.
  • Statistics for Host Firewall – Enable if you want to create statistics for the Host Firewall.
  • Generate Protocol Statistics – Enable to create protocol- and P2P-specific statistics. These statistic can be seen using the event viewer under .../BOX/proto–stat/.
  • Use username if available – Enable if usernames should be used for statistics instead of IP addresses.
Configure Eventing Policy

In the Eventing Policy section, configure the following settings:

  • Generate Events – To generate events, select yes.
  • Event Data – Click Show.../Edit... to enable or disable specific events:
    eventing_policy.png
    • Rule Limit Exceeded – Triggers event 'FW Rule Connection Limit Exceeded' [4016] when the allowed maximum number of connections for a rule has been exceeded.
    • Source/Rule Limit Exceeded – Triggers event 'FW Rule Connection per Source Limit Exceeded' [4018] when the allowed maximum number of connections/src for a rule has been exceeded.
    • Accept Limit Exceeded – Triggers event 'FW Pending TCP Connection Limit Reached' [4006] when the limit for 'Max Pending Accepts/Src' has been exceeded.
    • Session/Src Limit Exceeded – Triggers event 'FW Global Connection per Source Limit Exceeded' [4024] when the limit for either 'Max Local-In Sessions/Src' or 'Max. Forwarding Sessions/Src' has been exceeded.
    • UDP Limit Exceeded – Triggers event 'FW UDP Connection Limit Exceeded' [4009] when the limit for 'Max UDP (%)' has been exceeded.
    • UDP/Src Limit Exceeded – Triggers event 'FW UDP Connection per Source Limit Exceeded' [4008] when the limit for either 'Max Local-In UDP/Src' or 'Max. Forwarding UDP/Src' has been exceeded.
    • Echo Limit Exceeded – Triggers event 'FW ICMP-ECHO Connection Limit Exceeded' [4027] when the limit for either 'Max Echo (%)' has been exceeded.
    • Echo/Src Limit Exceeded – Triggers event 'FW ICMP-ECHO Connection per Source Limit Exceeded' [4026] when the limit for either 'Max Local-In Echo/Src' or 'Max. Forwarding Echo/Src' has been exceeded.
    • Other Limit exceeded – Triggers event 'FW OTHER-IP Session Limit Exceeded' [4029] when the limit for either 'Max Other (%)' has been exceeded.
    • Other/SrcLimit exceeded – Triggers event 'FW OTHER-IP Connection per Source Limit Exceeded' [4028] when the limit for either 'Max Local-In Other/Src' or 'Max. Forwarding Other/Src' has been exceeded.
    • Large ICMP Packet – Triggers event 'FW Large ICMP Packet Dumped' [4012] when the service object specific limit of 'Max Ping Size' has been exceeded.
    • Oversized SYN Packet – Triggers event 'FW Oversized SYN Packet Dumped' [4010] when an oversized SYN packet has been detected and dropped.
    • Local Redirection – Triggers event 'FW Local Redirection Suppressed' [2502] when the firewall redirects traffic to itself.
    • Local Routing Loop – Triggers event 'FW Forwarding Loop Suppressed' [2500] when the firewall detects a routing loop.
    • Port Scan – Triggers event 'FW Port Scan Detected' [4000] when the 'Port Scan Threshold' has been exceeded by a particular source.
    • Flood Ping – Triggers event 'FW Flood Ping Protection Activated' [4002] when the service object specific limit of 'Min Delay' has been violated.
    • Pending Accepts Critical – Triggers event 'FW Activating Perimeter Defence (inbound mode)' [4004] when limit for 'Inbound Threshold (%)' has been exceeded.
    • IP Spoofing – Triggers events 'FW IP Spoofing Attempt Detected' [4014] or 'FW Potential IP Spoofing Attempt' [4015]. This only applies to firewall rules where 'Source/Reverse Interface' policies have been set to 'matching'.
      reported_event_categories.png
Configure Log Policy

In the LogPolicy section, configure the following settings:
log_policy.png

  • Application Control Logging – Select which Application Control data should be logged.
    • No-Log-Entry – No information about applications will be logged.
    • Log-Blocked-Applications – Blocked applications will be logged.
    • Log-Allowed-Applications – Allowed applications will be logged.
    • Log-All-Applications – All applications will be logged.

      Notifications for application ruleset blocks which were logged with type "Detect" and only contain the block information in the info-text are now logged with type "Block". See the following tables with the correspondig codes and reasons:

      CodeMeaning
      1000Network Unreachable
      1001Host Unreachable
      1002Protocol Unreachable
      1003Port Unreachable
      1004Fragmentation Needed
      1005Source Route Failed
      1006Network Unknown
      1007Host Unknown
      1008Source Host Isolated
      1009Network Access Denied
      1010Host Access Denied
      1011Network Unreachable for TOS
      1012Host Unreachable for TOS
      1013Denied by Filter
      1014Host Precedence Violation
      1015Host Precedence Cutoff
      1016Connect Timeout
      1017Accept Timeout
      1018No Route to Host
      1019Unknown Network Error
      1020Routing Triangle
      1021TTL Expired
      1022Defragmentation Timeout
      1023No Route To Destination
      1024Communication Prohibited
      1025Unknown Code 2
      1026Address Unreachable
      1027Port Unreachable
      1028WANOPT Protocol Negotiation Mismatch
      1029WANOPT Out of descriptors
      1030WANOPT Partner protocol missing
      1031WANOPT No VPN
      1032Internal SSL Error
      1033Untrusted self-signed certificate
      1034Certificate not trusted
      1035Certificate Revoked
      1036Expired or not yet valid certificate
      1037Certificate content invalid
      1038Certificate revocation check failure
      1039Flex connection timeout
      1040Flex connection error
      1041Out of Memory Fail Close
      CodeMeaning
      2000Session Idle Timeout
      2001Balanced Session Idle Timeout
      2002Last ACK Timeout
      2003Retransmission Timeout
      2004Halfside Close Timeout
      2005Unreachable Timeout
      2006Connection Closed
      2007Connection Reset by Source
      2008Connection Reset by Destination
      2009Connection Reset by Administrator
      2010Allow time interval expired
      2011Connection no Longer Allowed by Rule
      2012Dynamic Rule Expired
      2013Terminated due to content
      2014Forward Destination is a Local Address
      2015Unsyncable Session and Passive Sync Mode
      2016Network Device no Longer Available
      2017Dynamic Service not Allowed by Rule
      2018Session Duration Timeout
      2019Application Control
      2020Unallowed Protocol Detected
      2021IPS Policy Requested Termination
      2022WANOPT Policy Negotiation Failed
      2023None of the Allowed Protocols Detected
      2024Session diverted to dynamic mesh VPN tunnel
      2025Internal SSL Error
      2026Self Signed Cert Found
      2027No Issuer Found
      2028Certificate Revoked
      2029Certificate Validation Failed
      2030No Local Socket Present
      2031Out of Memory Fail Close
      CodeMeaning
      3000Reverse Routing MAC Mismatch
      3001Reverse Routing Interface Mismatch
      3002Source is Multicast
      3003Source is Broadcast
      3004Source is an Invalid IP Class
      3005Source is Loopback
      3006Source is Local Address
      3007IP Header is Incomplete
      3008IP Header Version is Invalid
      3009IP Header Checksum is Invalid
      3010IP Header has Invalid IP Options
      3011IP Header Contains Source Routing
      3012IP Packet is Incomplete
      3013TCP Header is Incomplete
      3014TCP Header Checksum is Invalid
      3015TCP Header has an Invalid Cookie
      3016TCP Header has an Invalid SEQ Number
      3017TCP Header has an Invalid ACK Number
      3018TCP Header has Invalid TCP Options
      3019TCP Header has Invalid TCP FLAGS
      3020TCP Packet Belongs to no Active Session
      3021UDP Header is Incomplete
      3022UDP Header Checksum is Invalid
      3023ICMP Header is Incomplete
      3024ICMP Header Checksum is Invalid
      3025ICMP Type is Invalid
      3026ICMP Reply Without a Request
      3027No socket for packet
      3028Forwarding not Active
      3029No Device for source IP address
      3030ARP request device mismatch
      3031ARP reply duplicate and MAC differs
      3032Size Limit Exceeded
      3033Rate Limit Exceeded
      3034TTL Expired
      3035Unknown ARP Operation
      3036ICMP Packet Belongs to no Active Session
      3037ICMP Packet is Ignored
      3038ICMP Packet is Ignored by Rule Settings
      3039High Level Protocol Header is Incomlete
      3040High Level Protocol Header is Invalid
      3041High Level Protocol Version is Invalid
      3042High Level Protocol Packet is Incomlete
      3043High Level Protocol Packet is Invalid
      3044Source MAC Mismatch
      3045Destination MAC Mismatch
      3046Bridge ACL violation
      3047ARP Burst Detected
      3048Static bridge ARP mismatch
      3049Change of locked ARP entry
      3050Possible MAC Spoofing
      3051No Nexthop Allowed on Bridge Segment
      3052Decompression failed
      3053Session Creation Load Exceeded
      3054Failed to update/create qarp entry
      3055Failed to retrieve routing information for quarantine setup
      3056Cannot send packets between different quarantine groups
      3057QARP device entry does not match device to be used
      3058Drop guessed TCP RST
      3059Invalid SYN for Established TCP Session
      3060Received Packet Exceeds NIC MTU (Invalid TCP-Segmentation-Offload ?)
      3061TCP Header ACK Sequence Number out of Window Size
      3062Unsupported IPV6 header
      3063No Ruleset loaded
      3064Source Barp Unknown
      3065Source and destination barp on the same device
      3066Drop Otherhost
      3067Firewall not active
      3068Payload linearization failed
      3069Reevaluation failed
      3070Unknown fragment
      3071Bridge Loop Detected
      3072Interface is set to discard by RSTP
      CodeMeaning
      4000Unknown Block Reason
      4001Forwarding is disabled
      4002Block by Rule
      4003Block no Rule Match
      4004Block by Rule Source Mismatch
      4005Block by Rule Destination Mismatch
      4006Block by Rule Service Mismatch
      4007Block by Rule Time Mismatch
      4008Block by Rule Interface Mismatch
      4009Block Local Loop
      4010Block by Rule ACL
      4011Block Rule Limit Exceeded
      4012Block Rule Source Limit Exceeded
      4013Block Pending Session Limit Exceeded
      4014Block Size Limit Exceeded
      4015Block by Dynamic Rule
      4016Block No Address Translation possible
      4017Block Broadcast
      4018Block Multicast
      4019Block Source Session Limit Exceeded
      4020Block UDP Session Limit Exceeded
      4021Block Source UDP Session Limit Exceeded
      4022Block Echo Session Limit Exceeded
      4023Block Source Echo Session Limit Exceeded
      4024Block Other Session Limit Exceeded
      4025Block Source Other Session Limit Exceeded
      4026Block Total Session Limit Exceeded
      4027Block no Route to Destination
      4028Block Invalid Protocol for Rule Action
      4029Block Protected IP Count Exceeded Licensed Limit
      4030Block Device not available
      4031Block by Rule User Mismatch
      4032Block Bridged Destination MAC Unknown
      4033Block by Rule MAC Mismatch
      4034Send Authentication Required
      4035Block Invalid Local Redirection to Non Local Address
      4036Block Invalid Redirection to Local Address
      4037Block Slot Creation Failed
      4038Block by Rule Quarantine Class Mismatch
      4039Local IPv6 traffic is disabled
      4040WANOPT Protocol Negotiation Mismatch
      4041Block by Rule App mismatch
      4042URL Categorization not available and policy set to fai
      4043URL Domain Explicitly not Allowed by URL Categorizatio
      4044URL Category not Allowed by Policy
      4045URL Category Blocked by Policy
      4046Block due to ATP Quarantine
      4047Block Unauthorized ATP File Download Access
      4048URL Categorization not available and policy set to fai
      4049URL Category must be acknowledged by user
      4050Custom URL domain must be acknowledged by user
      4051URL Category must be acknowledged by supervisor
      4052Detected Content not allowed by policy
      4053Detected Browser Agent not allowed by policy
      4054Untrusted self-signed certificate
      4055Certificate not trusted
      4056Certificate Revoked
      4057Expired or not yet valid certificate
      4058Certificate content invalid
      4059Certificate revocation check failure
      CodeMeaning
      5000Unknown Deny Reason
      5001Deny by Rule
      5002Deny by Rule Source Mismatch
      5003Deny by Rule Destination Mismatch
      5004Deny by Rule Service Mismatch
      5005Deny by Rule Time Mismatch
      5006Deny Local Loop
      5007Deny by Rule ACL
      5008Deny by Dynamic Rule
      5009Deny No Address Translation possible
      CodeMeaning
      6000Unknown Scan Reason
      6001Terminate due to Pattern Detection
      6002Pattern Detection
      6003Application Control
      6004Drop due to Application Control
      6005Shape due to Application Control
      6006Unallowed Port Protcol Detected
      6007Reset due to Unallowed Port Protocol Detection
      6008Drop due to Unallowed Port Protocol Detection
      6009IPS Log
      6010IPS Warning
      6011IPS Alert
      6012IPS Drop Log
      6013IPS Drop Warning
      6014IPS Drop Alert
      6015Web Access
      6016Application/Protocol Detection
      6017Application/Protocol Warning
      6018Application/Protocol Alert
      6019Application/Protocol Denied
      6020Application/Protocol Denied with Warning
      6021Application/Protocol Denied with Alert
      6022URL Categorization
      6023URL Categorization Warning
      6024URL Categorization Alert
      6025URL Category Denied
      6026URL Category Denied with Warning
      6027URL Category Denied with Alert
      6028Virus Blocked
      6029Malicious File Blocked by Advanced Threat Protection
      6030Virus Scan not possible - Blocked
      6031Virus Scan not possible - Passed
      6032Virus Scan Error - Blocked
      6033Virus Scan Error - Passed
      6034Malicious Content Detected in Delivered File
      6035DNS Request for a Hostname with bad Reputation
      6036Client access to a DNS Sinkhole Address
      6037Client access to a Hostname with bad Reputation
      CodeMeaning
      7000Unknown Block Reason
      7001Forwarding is disabled
      7002Block by Rule
      7003Block no Rule Match
      7004Block by Rule Source Mismatch
      7005Block by Rule Destination Mismatch
      7006Block by Rule Service Mismatch
      7007Block by Rule Time Mismatch
      7008Block by Rule Interface Mismatch
      7009Block Local Loop
      7010Block by Rule ACL
      7011Block Rule Limit Exceeded
      7012Block Rule Source Limit Exceeded
      7013Block Pending Session Limit Exceeded
      7014Block Size Limit Exceeded
      7015Block by Dynamic Rule
      7016Block No Address Translation possible
      7017Block Broadcast
      7018Block Multicast
      7019Block Source Session Limit Exceeded
      7020Block UDP Session Limit Exceeded
      7021Block Source UDP Session Limit Exceeded
      7022Block Echo Session Limit Exceeded
      7023Block Source Echo Session Limit Exceeded
      7024Block Other Session Limit Exceeded
      7025Block Source Other Session Limit Exceeded
      7026Block Total Session Limit Exceeded
      7027Block no Route to Destination
      7028Block Invalid Protocol for Rule Action
      7029Block Protected IP Count Exceeded Licensed Limit
      7030Block Device not available
      7031Block by Rule User Mismatch
      7032Block Bridged Destination MAC Unknown
      7033Block by Rule MAC Mismatch
      7034Send Authentication Required
      7035Block Invalid Local Redirection to Non Local Address
      7036Block Invalid Redirection to Local Address
      7037Block Slot Creation Failed
      7038Block by Rule Quarantine Class Mismatch
      7039Local IPv6 traffic is disabled
      7040WANOPT Protocol Negotiation Mismatch
      7041Block by Rule App mismatch
      7042URL Categorization not available and policy set to fai
      7043URL Domain Explicitly not Allowed by URL Categorizatio
      7044URL Category not Allowed by Policy
      7045URL Category Blocked by Policy
      7046Block due to ATP Quarantine
      7047Block Unauthorized ATP File Download Access
      7048URL Categorization not available and policy set to fai
      7049URL Category must be acknowledged by user
      7050Custom URL domain must be acknowledged by user
      7051URL Category must be acknowledged by supervisor
      7052Detected Content not allowed by policy
      7053Detected Browser Agent not allowed by policy
      7054Untrusted self-signed certificate
      7055Certificate not trusted
      7056Certificate Revoked
      7057Expired or not yet valid certificate
      7058Certificate content invalid
      7059Certificate revocation check failure
  • Activity Log Mode
    • Log-Pipe-Separated-Value-List – Select this option if you require value based log entries separated by a pipe symbol, e.g.

      2018 01 30 08:14:47 Info +00:00 Detect: IPRX|TCP|eth0|10.17.33.202|29289|00:00:00:00:00:00|74.208.236.242|80||eth0||0|10.17.33.201|74.208.236.242|0|1|0|0|0|0|user15|HTTP direct|Web browsing|www.noiseaddicts.com||Social Networking 

      Log-Pipe-Separated-Key-Value-List – Select this option if you require key-value pairs of log entries separated by a pipe symbol, e.g.

      2018 01 30 13:12:21 Security +01:00 Block: type=FWD|proto=UDP|srcIF=eth0|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|dstIP=10.17.34.255|dstPort=54915|dstService=|dstIF=|rule=BLOCKALL|info=Block by Rule|srcNAT=0.0.0.0|dstNAT=0.0.0.0|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=|protocol=|application=|target=|content=|urlcat=
  • Activity Log Data

    • Log-Info-CodeIn "Log-Info-Code" mode, additional information is written as a number, e.g.
      2018 01 30 12:58:09 Info +00:00 Detect: FWD|TCP|eth0|10.17.33.202|44973|00:00:00:00:00:00|74.208.236.242|80||eth0|| 4045 |10.17.33.201|74.208.236.242|0|1|0|0|0|0|user11|HTTP direct|Web browsing|www.noise addicts.com||Social Networking (46)

    • Log-Info-TextIn "Log-Info-Text" mode, the additional information is written as full text, e.g.
      IPRX|TCP|eth0|10.17.33.202|57037|00:00:00:00:00:00|31.13.84.36|443||eth0|| URL Category Blocked by Policy |10.17.33.201|31.13.84.36|0|1|0|0|0|0|user2|HTTPS direct|Facebook Base| facebook.com ||Social Networking (46)

      logd daemon is automatically translating numbers to text, so in Firewall admin (formerly NGadmin) the reason text is shown also for "Log-Info-Code" mode!
  • Activity Log Information – Click Set.../Edit to enable or disable specific activities:

    • Allowed Sessions (Fwd) – Log each newly established forwarding session.

    • Allowed Sessions (Local) – Log local traffic, e.g., HTTP proxy or DNS.

    • Protocol Detection (Fwd) – Log protocol detection for each newly established forwarding session.

    • Protocol Detection (Local) – Log protocol detection for each newly established local session, e.g., HTTP proxy or DNS.

    • Failed Sessions (Fwd) – Log each allowed request that failed to be established.

    • Failed Sessions (Local) – Log local traffic.

    • Session Termination (Fwd) – Log each finished forwarding session.

    • Session Termination (Local) – Log finished local sessions.

    • Blocked Sessions (Fwd) – Log each blocked forward session request. This is relevant for auditing.

    • Blocked Sessions (Local) – Log blocked local traffic.

    • Dropped Packets – Log each silently dropped packet.

    • Invalid ARPs – Log each invalid ARP request.
      activity_log_information.png

      "Session Termination (Fwd)", "Session Termination (Local)", "Dropped Packets" and "Invalid ARPs" are disabled by default!
  • Log Level  Select the log level. Cumulative logging allows some reduction of log file lengths and tries to avoid indirect denial of service (DoS) attacks.
  • Cumulative Interval [s] – Interval in seconds for which cumulative logging is activated for either matching or similar log entries. To enter cumulative logging, the entries need to be identical in all of the identifiers of a log entry except the source port (min: 1; max: 60; default: 1).
  • Cumulative Maximum – Maximum number of log entries within the same rule and which results in cumulative logging to be triggered (default: 10).
  • Generate Audit Log – Enables Firewall Audit.
    An audit event entry consists of a CR-terminated line of ASCII characters. Each line holds 23 pipe ("|") separated values. The values can be built up as a pipe-separated-value-list or as a pipe-separated-key-value-pair-list.

    Example: 1129102500|Block:|FWD|eth0|ICMP|BLOCKALL|10.0.3.80|0|10.0.3.73|0||4002|Block by Rule|0.0.0.0|0|0.0.0.0|0||00:07:e9:09:04:30|0|0|0|0|0|4552264444

    Column Value Type
    1 Time

    Unix seconds

    2 Log Operation

    Log Operations ( Unknown, Allow, LocalAllow, Block, LocalBlock, Remove, LocalRemove, Drop, Terminate, LocalTerminate, Change, Operation, Startup, Configuration, Rule, State, LocalState, Process, AdminAction, Deny, LocalDeny, SecurityEvent, Sync, Fail, or LocalFail)

    3 Session Type

    Session Type (Forwarding, Local In, Local Out, or Loopback)

    4 Input Network Device String
    5 IP Protocol String
    6 Firewall Rule String
    7 Source IP Address

    IP Address

    8 Source Port Number

    0–65535

    9 Destination IP Address

    IP Address

    10 Destination Port Number

    0-65535

    11 Service Name String
    12 Reason Code Number
    13 Reason String
    14 Bind IP Address

    IP Address

    15 Bind Port Number

    0-65535

    16 Connection IP Address

    IP Address

    17 Connection Port Number

    0–65535

    18 Output Network Device

    String

    19 MAC Address

    6 colon-separated hex bytes

    20 # of Input Packets

    Number

    21 # of Output Packets

    Number

    22# of Input Bytes

    Number

    23# of Output Bytes

    Number

    24Duration

    In seconds

    25IDAudit entry number
  • Audit Log Data – Click Set.../Edit to configure Firewall Audit settings:
    • Audit Delivery – Select how audit log data is stored or transferred:
      • Local-DB – Store audit data within a local sqlite3 DB.
      • Forward-Only – Forward natively to an audit collector service.
      • Local-DB-And-Forward – The combination of both.
      • Send-IPFIX – Hand off data to separate IPFIX exporter.
      • Forward-and-Send-IPFIX – Combination of forwarding and send data to an IPFIX exporter.
      • Regular-Log-File – Plain ascii based log file.
      • Syslog-Proxy – Generate syslog messages.
      • Executable – Feed into custom executable on stdin.
      • Send-UDP-Packet – Send via plain UDP stream.
        audit_delivery_menue.PNG
    • Executable – Enter the path of the executable file the data is sent to.
    • Send to IP Address – Enter the IP address of the audit service the data is sent to.
    • Send to Port – Enter the port the data is sent to. If not specified, port 680 is used.
    • Use Source IP Address [Optional] – Enter the source IP address. If not specified, the management IP / Virtual IP address is used.
    • Transport Mode – Select whether transported data should be encrypted or not.
    • Report User Name – Optionally include the username into the session information if available.
      audit_log_handling.png
    • Allowed Sessions (Fwd) – Create a record for each newly established forwarding session. This is relevant for auditing.
    • Allowed Sessions (Local) – Same for local traffic, e.g., HTTP proxy or DNS.
    • Protocol Detection (Fwd) – Enable protocol detection for each newly established forwarding session.
    • Protocol Detection (Local) – Enable protocol detection for each newly established local session, e.g., HTTP proxy or DNS.
    • Failed Sessions (Fwd) – Create an entry for each allowed request that failed to be established. This is relevant for troubleshooting.
    • Failed Sessions (Local) – Same for local traffic.
    • Session Termination (Fwd) – Create a record on session removal for each finished forwarding session.
    • Session Termination (Local) – Create a record on session removal for each finished local session.
    • Blocked Sessions (Fwd) – Create a record for each blocked forward session request. This is relevant for auditing.
    • Blocked Sessions (Local) – Create a record for each blocked local session request. This is relevant for auditing.
    • Dropped Packets – Create an entry for each silently dropped packet.
    • Invalid ARPs – Create an entry for each invalid ARP request.
      recorded_conditions.png
    • After Number of Days – Number of days until log file entries will be purged.
    • [Optional] Exceeding MBytes – Enter the maximum size of log files in MB until purging starts.
    • [Optional] Move Files to Directory – Specify the directory where purged log data is moved to.
    • [Optional]Restore Files from Directory – If required, specify the directory from where to restore previously purged log data.
      logfile_rotation_and_removal.png
    • Forward Buffer [Messages] – Number of messages that can be buffered when forwarding.
    • Forward Buffer [KBytes] – Number of KBytes that can be buffered when forwarding.
    • ACPF Allowed Msg Buffer [Bytes] – Number of ACPF buffered bytes for allow messages.
    • ACPF Blocked Msg Buffer [Bytes] – Number of ACPF buffered bytes for block messages.
    • ACPF Dropped Msg Buffer [Bytes] – Number of ACPF buffered bytes for drop messages.
      buffer_settings.png
  • Log ICMP Packets

    • Log-All – Log all ICMP packets except type ECHO.
    • Log-Unexpected – Log all ICMP packets except ECHO and UNREACHABLE.
    • Log-None – Disable ICMP logging.
  • Allow Threat Log Processing – Allow other processes to access threat log information for further processing.

Configure IPFIX Streaming

In the IPFIX Streaming section, configure the following settings:

  • Enable IPFIX/Netflow – Internet Protocol Flow Information Export (IPFIX, RFC 3917) is based on NetFlow version 9. You can use this to stream the Firewall Audit logs via IPFIX.
  • Enable intermediate reports – Select yes to enable sending of intermediate reports with delta counters.
  • IPFIX reporting interval [m] – Use the IPFIX reporting interval [m] option to determine how often intermdiate reports are sent.
  • IPFIX Template – If set to Extended, includes additional information, such as delta coutners, to the IPFIX export.
    If your collector does not support reverse flows, select Uniflow templates, these templates will duplicate the traffic against the collector.
  • Collectors – Click + to add collectors.
    ipfix_streaming.png
Configure Connection Tracing
  • Click Set.../Edit to configure the Connection Tracing settings.
    • Data Limit [kB] – Maximum number of bytes of a traced connection (max. 4096kB).
    • File Limit – Maximum number of traced connections (max. 1024).
      trace_recording_limits.png

Activation

To activate changes made to the audit and reporting configuration, you must perform a firmware restart.

  1. Click Send Changes and Activate.
  2. Go to the CONTROL > Box.
  3. Expand the Operating System section.
  4. Click Firmware Restart.

All active connections will be terminated when performing a firmware restart.