It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

This Firmware Version Is End-Of-Support

Documentation for this product is no longer updated. Please see End-of-Support for CloudGen Firewall Firmware for further information on our EoS policy.

Firewall Activity Log

  • Last updated on

Activity log entries are written to the file /phion0/logs/box_Firewall_Activity.log. The firewall writes output about its activity to the firewall activity log file, e.g.:

2018 01 30 13:12:21 Security +01:00 Block: type=FWD|proto=UDP|srcIF=eth0|srcIP=10.17.34.12|srcPort=54915|srcMAC=18:db:f2:13:ca:9c|dstIP=10.17.34.255|dstPort=54915|dstService=|dstIF=|rule=BLOCKALL|info=Block by Rule|srcNAT=0.0.0.0|dstNAT=0.0.0.0|duration=0|count=1|receivedBytes=0|sentBytes=0|receivedPackets=0|sentPackets=0|user=|protocol=|application=|target=|content=|urlcat=

Structure of Log Entry Components

A log entry of the firewall's activity log consists of several key-value pairs that are separated by a '|' character. A log entry starts with a timestamp followed by the following keys. As seen in the example above, the key-value pairs depend on the quality of information processed by the firewall:

KeySub-keyDescription
Type   Information about the Type of log entry. E.g. Security or Info
Action Information about the action taken according to the firewall ruleset configuration.
type can be any of...

...these
sub-keys...

Information about the origin type of traffic and ruleset used. Any value in the following rows with sub-key attribute can apply.
 LINLocal In. The incoming traffic on the host firewall.
 LOUTLocal Out. The outgoing traffic from the host firewall.
 LBLoopback. The traffic via the loopback interface.
 FWDForwarding. The outbound traffic via the forwarding firewall.
 IFWDInbound Forwarding. The inbound traffic to the firewall.
 PRXProxy. The outbound traffic via the proxy.
 IPRXInbound Proxy. The inbound traffic via the proxy.
 TAPTransparent Application Proxying. The traffic via stream forwarding.
 LRDLocal Redirect. Redirected traffic configured in forwarding ruleset.
proto The protocol that was used. For example, TCP, UDP, or ICMP.
srcIF The source network interface of the session.
srcIP The source IP address of the session.
srcPort The source port of the session.
srcMAC The MAC address of the session's source network interface.
dstIP The destination IP address of the session.
dstPort The destination port of the session.
dstService The destination service of the session.
dstIF The destination network interface of the session.
rule The name of the firewall rule processing the session.
Info Operational information for the session.
srcNAT Source NAT address of the session.
dstNAT Destination NAT address of the session.
duration Duration of the session.
count Number of sessions processed.
receivedBytes Received traffic of a session in bytes.
sentBytes Sent traffic of a session in bytes.
receivedPackets Received traffic of a session in packets.
sentPackets Received traffic of a session in packets.
user The name of the user, if the session was handled by a firewall rule that requires authentication.
protocol The protocol of a session. For example, TCP, UDP, or ICMP.
application The application context of a session.
target The application target.
content The application content.
urlcat The URL category the session belongs to.

Data Types with Data Examples

The following tables show the Field identifier followed by the data Example. The row Format indicates the low-level data type used for processing the information. Note that in the final log entry, not all of the following keys have data assigned to them:

FieldtypeprotosrcIFsrcIPsrcPortsrcMACdstIP
FormatStringStringStringIPv4/IPv6
address
Number: separated
bytes

IPv4/IPv6
address

ExampleFWDUDPeth0

10.0.1.1

54915

18:db:f2:13:ca:9c

10.0.10.1

Field
(cont.)
dstPortdstServicedstIFruleinfosrcNATdatNAT
FormatNumberStringStringStringString

IPv4/IPv6
address

IPv4/IPv6
address

Example

54915

netbios-dgmeth2

BLOCKALL

Block by Rule

0.0.0.0

0.0.0.0

Field
(cont.)
durationcountreceivedBytessentBytesreceivedPacketssentPackets
FormatNumberNumberNumberNumberNumberNumber
Example000000
Field
(cont.)
userprotocolapplicationtargetcontenturlcat
FormatStringStringStringStringStringString
Exampleuser1234HTTPWeb Browsing10.17.18.19StringUncategorized