It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

How to Enable Filebeat Stream to a Logstash Pipeline

  • Last updated on

The Barracuda CloudGen Firewall allows you to stream event logs from Firewall Insights to a Logstash server, which provides information on firewall activity, threat logs, and information related to network, version, and location of managed firewall units. To receive Filebeat data streams through the Logstash pipeline, enable debugging and syslog streaming, and configure the firewall to send data to a Logstash server.

Enable Debugging on the Firewall

  • By adding BRSDEBUG = y to /opt/phion/config/active/bsyslog.conf all messages are dumped into the /var/phion/logs/box_FirewallInsights_brsd.log before they are forwarded.
  • By adding BRSVERIFYCERT = n to /opt/phion/config/active/bsyslog.conf all TLS certificate checks are disabled.

Enable Stream to Logstash Pipeline

  1. Go to CONFIGURATION > Configuration Tree > Box > Infrastructure Services > Syslog Streaming.
  2. In the Configuration menu on the left, select Firewall Insights
  3. Expand the Configuration Mode menu and select Switch to Advanced
  4. Click Lock.
  5. Enable the service and select Use Generic Logstash.
  6. Enter the IP address or host name that points to your Logstash pipeline.
    fwins_log.png
  7. Click Send Changes and Activate.
Default Logstash Configuration File 

To receive and forward all events through your Logstash pipeline, use the following configuration. Make sure to use the PKSCS8 certificate key.

File beat Conifg: /log/logstash-cgf.conf
<code>
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/ssl/cert.pem"
    ssl_key => "/etc/ssl/key.pkcs8"
  }
}
filter {
  json {
    source => "message"
    target => "message"
  }
}
output {
  stdout { codec => rubydebug }
}
</code>

Firewall Activity Messages

(for Firewall Insights, type = ngfw-act)

JSON Fields

Field Name

Description

Datatype

Optional

Null Value

timestamp

Time stamp in seconds since epoch

int

no

-

version

Message format version. Currently 1.

int

no

-

action

Firewall Action:

  • "App": application has been detected (see apps field)
  • "AppBlock": application has been blocked (see apps field)
  • "Inter": intermediate report, which is sent every 60s
  • "End": session has been terminated

string

no

-

duration

Duration of the session in milliseconds

int

no

-

src_iface

source interface name (e.g. "eth0")

string

yes

key is not in JSON

src_ip

source IP

string

no

-

src_port

source port or session identifier for protocols without ports (e.g., ICMP)

int

yes

key is not in JSON

src_mac

source mac address

string

yes

"00:00:00:00:00:00"

dst_iface

destination interface name

string

yes

key is not in JSON

dst_ip

destination IP

string

no

-

dst_port

destination port or session identifier for protocols without ports (e.g. ICMP)

int

yes

key is not in JSON

dst_mac

destination mac address

string

yes

"00:00:00:00:00:00"

fw_rule

firewall rule name

string

yes

key is not in JSON

app_rule

application rule name (e.g. "<App>:ALL-APPS")

string

yes

key is not in JSON

fw_info

Detailed information about the action performed by the firewall (There are 7 categories.):

1. Generic/Normal Operation (0 - 999)

2.  ACPF_REASON_NORMAL_OP 0
3.  ACPF_REASON_NEW_REQUEST 1
4.  ACPF_REASON_MAC_CHANGED 2
5.  ACPF_REASON_ARP_DUPLICATE 3
6.  ACPF_REASON_SYNC 4
7.  ACPF_REASON_REEVALUATE 5
8.  ACPF_REASON_APP_ALLOW 6
9.  ACPF_REASON_CONTENT_ALLOW 7
10. ACPF_REASON_CONTENT_WARN 8

10.  Failed (1000 - 1999)

11.ACPF_REASON_FAIL_ICMP_BASE 1000
12.ACPF_REASON_FAIL_UNREACHABLE_NET 1000
13.ACPF_REASON_FAIL_UNREACHABLE_HOST 1001
14.ACPF_REASON_FAIL_UNREACHABLE_PROTO 1002
15.ACPF_REASON_FAIL_UNREACHABLE_PORT 1003
16.ACPF_REASON_FAIL_UNREACHABLE_FRAG 1004
17.ACPF_REASON_FAIL_UNREACHABLE_SR 1005
18.ACPF_REASON_FAIL_UNREACHABLE_NO_NET 1006
19.ACPF_REASON_FAIL_UNREACHABLE_NO_HOST 1007
20.ACPF_REASON_FAIL_UNREACHABLE_ISOLATED 1008
21.ACPF_REASON_FAIL_UNREACHABLE_NET_DENY 1009
22.ACPF_REASON_FAIL_UNREACHABLE_HOST_DENY 1010
23.ACPF_REASON_FAIL_UNREACHABLE_TOS_NET 1011
24.ACPF_REASON_FAIL_UNREACHABLE_TOS_HOST 1012
25.ACPF_REASON_FAIL_UNREACHABLE_FILTER 1013
26.ACPF_REASON_FAIL_UNREACHABLE_PRECEDENCE1 1014
27.ACPF_REASON_FAIL_UNREACHABLE_PRECEDENCE2 1015
28.ACPF_REASON_FAIL_TIMEOUT_CONNECT 1016
29.ACPF_REASON_FAIL_TIMEOUT_ACCEPT 1017
30.ACPF_REASON_FAIL_NO_ROUTE 1018
31.ACPF_REASON_FAIL_UNKNOWN 1019
32.ACPF_REASON_FAIL_ROUTE_TRIANGLE 1020
33.ACPF_REASON_FAIL_TTL_EXPIRED 1021
34.ACPF_REASON_FAIL_FRAGTIME 1022
35.ACPF6_REASON_FAIL_ICMPV6_BASE 1023
36.ACPF6_REASON_FAIL_NO_ROUTE_TO_DEST 1023
37.ACPF6_REASON_FAIL_COMM_PROHIBITED 1024
38.ACPF6_REASON_FAIL_UNKNOWN_2 1025
39.ACPF6_REASON_FAIL_ADDRESS_UNREACHABLE 1026
40.ACPF6_REASON_FAIL_PORT_UNREACHABLE 1027
41.ACPF_REASON_FAIL_WANOPT_MISMATCH 1028
42.ACPF_REASON_FAIL_WANOPT_OUT_OF_DESC 1029
43.ACPF_REASON_FAIL_WANOPT_PARTNER_WPROTO_MISSING 1030
44.ACPF_REASON_FAIL_WANOPT_NO_VPN 1031
45.ACPF_REASON_FAIL_SSL_ERROR 1032
46.ACPF_REASON_FAIL_SSL_SELF 1033
47.ACPF_REASON_FAIL_SSL_ISSUER 1034
48.ACPF_REASON_FAIL_SSL_REVOKED 1035
49.ACPF_REASON_FAIL_SSL_EXPIRED 1036
50.ACPF_REASON_FAIL_SSL_INVALID 1037
51.ACPF_REASON_FAIL_SSL_REV_FAILED 1038
52.ACPF_REASON_FAIL_FLEX_TIMEOUT 1039
53.ACPF_REASON_FAIL_FLEX_ERROR 1040
ACPF_REASON_FAIL_MEM_FAIL_CLOSE 1041

54.  Terminated (2000 - 2999)

55.ACPF_REASON_TERM_TIMEOUT_SESSION 2000
56.ACPF_REASON_TERM_TIMEOUT_BALANCED 2001
57.ACPF_REASON_TERM_TIMEOUT_LASTACK 2002
58.ACPF_REASON_TERM_TIMEOUT_RETRANS 2003
59.ACPF_REASON_TERM_TIMEOUT_HALFSIDE 2004
60.ACPF_REASON_TERM_TIMEOUT_UNREACHABLE 2005
61.ACPF_REASON_TERM_CONN_CLOSE 2006
62.ACPF_REASON_TERM_CONN_RESET_SRC 2007
63.ACPF_REASON_TERM_CONN_RESET_DST 2008
64.ACPF_REASON_TERM_ADMIN_TERMINATE 2009
65.ACPF_REASON_TERM_TIME_MISMATCH 2010
66.ACPF_REASON_TERM_RULE_BLOCK 2011
67.ACPF_REASON_TERM_DYN_RULE_EXPIRED 2012
68.ACPF_REASON_TERM_CONTENT 2013
69.ACPF_REASON_TERM_IS_LOCAL 2014
70.ACPF_REASON_TERM_PASSIVE_SYNC 2015
71.ACPF_REASON_TERM_DEVICE_DOWN 2016
72.ACPF_REASON_TERM_DYN_SERVICE 2017
73.ACPF_REASON_TERM_DURATION 2018
74.ACPF_REASON_TERM_P2P 2019
75.ACPF_REASON_TERM_PROTO_DETECT 2020
76.ACPF_REASON_TERM_IPS_DETECT 2021
77.ACPF_REASON_TERM_WANOPT_FAIL 2022
78.ACPF_REASON_TERM_PROTO_DETECT_UNKNOWN 2023
79.ACPF_REASON_TERM_DYNAMIC_MESH 2024
80.ACPF_REASON_TERM_SSL_ERROR 2025
81.ACPF_REASON_TERM_SSL_SELF 2026
82.ACPF_REASON_TERM_SSL_ISSUER 2027
83.ACPF_REASON_TERM_SSL_REVOKED 2028
84.ACPF_REASON_TERM_SSL_NOVALIDATE 2029
85.ACPF_REASON_TERM_NO_LOCAL_SOCK 2030
86.ACPF_REASON_TERM_MEM_FAIL_CLOSE 2031
87. 

88.  Packet Dropped (3000 - 3999)

89.ACPF_REASON_DROP_MISMATCH_MAC 3000
90.ACPF_REASON_DROP_MISMATCH_IF 3001
91.ACPF_REASON_DROP_SOURCE_MC 3002
92.ACPF_REASON_DROP_SOURCE_BC 3003
93.ACPF_REASON_DROP_SOURCE_BADCLASS 3004
94.ACPF_REASON_DROP_SOURCE_LOOPBACK 3005
95.ACPF_REASON_DROP_SOURCE_LOCAL 3006
96.ACPF_REASON_DROP_IPHDR_INCOMPLETE 3007
97.ACPF_REASON_DROP_IPHDR_VERSION 3008
98.ACPF_REASON_DROP_IPHDR_CHECKSUM 3009
99.ACPF_REASON_DROP_IPHDR_INVOPT 3010
100. ACPF_REASON_DROP_SOURCE_ROUTE 3011
101. ACPF_REASON_DROP_PKT_INCOMPLETE 3012
102. ACPF_REASON_DROP_TCP_HDR_INCOMPLETE 3013
103. ACPF_REASON_DROP_TCP_HDR_CHECKSUM 3014
104. ACPF_REASON_DROP_TCP_INVALID_COOKIE 3015
105. ACPF_REASON_DROP_TCP_INVALID_SEQ 3016
106. ACPF_REASON_DROP_TCP_INVALID_ACK 3017
107. ACPF_REASON_DROP_TCP_INVALID_OPT 3018
108. ACPF_REASON_DROP_TCP_INVALID_FLAGS 3019
109. ACPF_REASON_DROP_TCP_NO_SESSION 3020
110. ACPF_REASON_DROP_UDP_HDR_INCOMPLETE 3021
111. ACPF_REASON_DROP_UDP_HDR_CHECKSUM 3022
112. ACPF_REASON_DROP_ICMP_HDR_INCOMPLETE 3023
113. ACPF_REASON_DROP_ICMP_HDR_CHECKSUM 3024
114. ACPF_REASON_DROP_ICMP_HDR_INV_TYPE 3025
115. ACPF_REASON_DROP_ICMP_NO_REQUEST 3026
116. ACPF_REASON_DROP_NO_SOCKET 3027
117. ACPF_REASON_DROP_NO_FWD 3028
118. ACPF_REASON_DROP_NO_DEVICE 3029
119. ACPF_REASON_DROP_ARP_DEVICE_MISMATCH 3030
120. ACPF_REASON_DROP_ARP_MULTIPLE 3031
121. ACPF_REASON_DROP_LIMIT_SIZE 3032
122. ACPF_REASON_DROP_LIMIT_RATE 3033
123. ACPF_REASON_DROP_TTL_EXPIRED 3034
124. ACPF_REASON_DROP_ARP_INV_OP 3035
125. ACPF_REASON_DROP_ICMP_NO_SESSION 3036
126. ACPF_REASON_DROP_ICMP_IGNORE 3037
127. ACPF_REASON_DROP_ICMP_RULE_DROP 3038
128. ACPF_REASON_DROP_HIPROTO_HDR_INCOMPLETE 3039
129. ACPF_REASON_DROP_HIPROTO_HDR_INVALID 3040
130. ACPF_REASON_DROP_HIPROTO_HDR_VERSION 3041
131. ACPF_REASON_DROP_HIPROTO_PKT_INCOMPLETE 3042
132. ACPF_REASON_DROP_HIPROTO_PKT_INVALID 3043
133. ACPF_REASON_DROP_MISMATCH_MAC_SRC 3044
134. ACPF_REASON_DROP_MISMATCH_MAC_DST 3045
135. ACPF_REASON_DROP_BRIDGE_ACL 3046
136. ACPF_REASON_DROP_ARP_BURST 3047
137. ACPF_REASON_DROP_STATIC_BARP 3048
138. ACPF_REASON_DROP_LOCKED_BARP 3049
139. ACPF_REASON_DROP_BRIDGE_MAC_SPOOFING 3050
140. ACPF_REASON_DROP_BRIDGE_NO_NEXTHOP 3051
141. ACPF_REASON_DROP_DECOMPRESS_FAIL 3052
142. ACPF_REASON_DROP_SESSION_LOAD_EXCEEDED 3053
143. ACPF_REASON_DROP_QARP_UPDATE_FAILED 3054
144. ACPF_REASON_DROP_QARP_ROUTE_LOOKUP_FAILED 3055
145. ACPF_REASON_DROP_QARP_GROUP_MISMATCH 3056
146. ACPF_REASON_DROP_QARP_MISMATCH 3057
147. ACPF_REASON_DROP_TCP_GUESSED_RST 3058
148. ACPF_REASON_DROP_TCP_INVALID_SYN 3059
149. ACPF_REASON_DROP_EXCEED_MTU 3060
150. ACPF_REASON_DROP_SRA_FUTURE_ACK 3061
151. ACPF_REASON_DROP_IPV6_UNSUPPORTED_HDR 3062
152. ACPF_REASON_DROP_NO_RULESET 3063
153. ACPF_REASON_DROP_SRC_BARP_UNKNOWN 3064
154. ACPF_REASON_DROP_SRCDST_BARP_SAME_DEV 3065
155. ACPF_REASON_DROP_OTHERHOST 3066
156. ACPF_REASON_DROP_NOT_ACTIVE 3067
157. ACPF_REASON_DROP_LINEARIZATION_FAILED 3068
158. ACPF_REASON_DROP_REEVALUATION_FAILED 3069
159. ACPF_REASON_DROP_UNKNOWN_FRAGMENT 3070
160. ACPF_REASON_DROP_BRIDGE_LOOP 3071
161. ACPF_REASON_DROP_RSTP_DISCARD 3072
162. ACPF_REASON_DROP_SYN_WITH_PAYLOAD 3073
ACPF_REASON_DROP_INVALID_URG_PTR 3074

163. Blocked (4000 - 4999) and Application Blocked (7000 - 7999)

164. ACPF_REASON_BLOCK_UNKNOWN 4000
165. ACPF_REASON_BLOCK_NO_FWD 4001
166. ACPF_REASON_BLOCK_RULE_EXPLICIT 4002
167. ACPF_REASON_BLOCK_RULE_NOMATCH 4003 // permanent
168. ACPF_REASON_BLOCK_RULE_SRC_MISMATCH 4004 // permanent
169. ACPF_REASON_BLOCK_RULE_DST_MISMATCH 4005 // permanent
170. ACPF_REASON_BLOCK_RULE_SRV_MISMATCH 4006 // permanent
171. ACPF_REASON_BLOCK_RULE_TIME_MISMATCH 4007 // permanent
172. ACPF_REASON_BLOCK_RULE_IF_MISMATCH 4008 // permanent
173. ACPF_REASON_BLOCK_RULE_LOCAL_LOOP 4009 // permanent
174. ACPF_REASON_BLOCK_RULE_ACL 4010 // adjust ACPF_REASON_BLOCK_RULE_ACL when inserting
175. ACPF_REASON_BLOCK_LIMIT_RULE 4011
176. ACPF_REASON_BLOCK_LIMIT_SRC 4012
177. ACPF_REASON_BLOCK_LIMIT_PENDING 4013
178. ACPF_REASON_BLOCK_LIMIT_SIZE 4014
179. ACPF_REASON_BLOCK_DYN_RULE 4015
180. ACPF_REASON_BLOCK_NO_NAT 4016
181. ACPF_REASON_BLOCK_BROADCAST 4017
182. ACPF_REASON_BLOCK_MULTICAST 4018
183. ACPF_REASON_BLOCK_LIMIT_ALL_SRC 4019
184. ACPF_REASON_BLOCK_LIMIT_UDP 4020
185. ACPF_REASON_BLOCK_LIMIT_UDP_SRC 4021
186. ACPF_REASON_BLOCK_LIMIT_ECHO 4022
187. ACPF_REASON_BLOCK_LIMIT_ECHO_SRC 4023
188. ACPF_REASON_BLOCK_LIMIT_OTHER 4024
189. ACPF_REASON_BLOCK_LIMIT_OTHER_SRC 4025
190. ACPF_REASON_BLOCK_LIMIT_TOTAL 4026
191. ACPF_REASON_BLOCK_NO_ROUTE 4027
192. ACPF_REASON_BLOCK_INVALID_PROTO 4028
193. ACPF_REASON_BLOCK_LIMIT_LICENSE 4029
194. ACPF_REASON_BLOCK_NO_DEVICE 4030
195. ACPF_REASON_BLOCK_RULE_USER_MISMATCH 4031
196. ACPF_REASON_BLOCK_BRIDGE_NO_BARP 4032
197. ACPF_REASON_BLOCK_RULE_MAC_MISMATCH 4033
198. ACPF_REASON_BLOCK_AUTH_REQUIRED 4034
199. ACPF_REASON_BLOCK_NO_LOCAL_ADDRESS 4035
200. ACPF_REASON_BLOCK_REDIR_TO_LOCAL_ADDR 4036
201. ACPF_REASON_BLOCK_SLOT_CREATE_FAILED 4037
202. ACPF_REASON_BLOCK_RULE_QCLASS_MISMATCH 4038
203. ACPF_REASON_BLOCK_V6_LOCAL_BLOCKED 4039
204. ACPF_REASON_BLOCK_WANOPT_MISMACTH 4040
205. ACPF_REASON_BLOCK_RULE_APP_MISMATCH 4041
206. ACPF_REASON_BLOCK_URLCAT_NA_POLICY 4042
207. ACPF_REASON_BLOCK_URLCAT_BLOCK_CUSTOM 4043
208. ACPF_REASON_BLOCK_URLCAT_BLOCK_WHITE 4044
209. ACPF_REASON_BLOCK_URLCAT_BLOCK_BLACK 4045
210. ACPF_REASON_BLOCK_ATD_RULE 4046
211. ACPF_REASON_BLOCK_ATD_ASYNC_HASH 4047
212. ACPF_REASON_BLOCK_URLCAT_WARN_NA_POLICY 4048
213. ACPF_REASON_BLOCK_URLCAT_WARN 4049
214. ACPF_REASON_BLOCK_URLCAT_WARN_CUSTOM 4050
215. ACPF_REASON_BLOCK_URLCAT_OVERRIDE 4051
216. ACPF_REASON_BLOCK_CONTENT 4052
217. ACPF_REASON_BLOCK_AGENT 4053
218. ACPF_REASON_BLOCK_SSL_SELF 4054
219. ACPF_REASON_BLOCK_SSL_ISSUER 4055
220. ACPF_REASON_BLOCK_SSL_REVOKED 4056
221. ACPF_REASON_BLOCK_SSL_EXPIRED 4057
222. ACPF_REASON_BLOCK_SSL_INVALID 4058
223. ACPF_REASON_BLOCK_SSL_REV_FAILED 4059
224. ACPF_REASON_BLOCK_UNKNOWN_VRF 4060
225.  
226. ACPF_REASON_APPBLOCK_UNKNOWN 7000
... identical to ACPF_REASON_BLOCK ...

227. Denied (5000 - 5999)

228. ACPF_REASON_DENY_UNKNOWN 5000
229. ACPF_REASON_DENY_RULE_EXPLICIT 5001
230. ACPF_REASON_DENY_RULE_SRC_MISMATCH 5002 // permanent
231. ACPF_REASON_DENY_RULE_DST_MISMATCH 5003 // permanent
232. ACPF_REASON_DENY_RULE_SRV_MISMATCH 5004 // permanent
233. ACPF_REASON_DENY_RULE_TIME_MISMATCH 5005 // permanent
234. ACPF_REASON_DENY_RULE_LOCAL_LOOP 5006 // permanent
235. ACPF_REASON_DENY_RULE_ACL 5007 // permanent
236. ACPF_REASON_DENY_DYN_RULE 5008
ACPF_REASON_DENY_NO_NAT 5009

237. Scanned (6000 - 6999)

238. ACPF_REASON_SCAN_UNKNOWN 6000
239. ACPF_REASON_SCAN_PATTERN_TERM 6001
240. ACPF_REASON_SCAN_PATTERN_LOG 6002
241. ACPF_REASON_SCAN_P2P_LOG 6003
242. ACPF_REASON_SCAN_P2P_DROP 6004
243. ACPF_REASON_SCAN_P2P_SHAPE 6005
244. ACPF_REASON_SCAN_PROTO_LOG 6006
245. ACPF_REASON_SCAN_PROTO_RESET 6007
246. ACPF_REASON_SCAN_PROTO_DROP 6008
247. ACPF_REASON_SCAN_IPS_LOG 6009
248. ACPF_REASON_SCAN_IPS_LOG_WARN 6010
249. ACPF_REASON_SCAN_IPS_LOG_ALERT 6011
250. ACPF_REASON_SCAN_IPS_DROP 6012
251. ACPF_REASON_SCAN_IPS_DROP_WARN 6013
252. ACPF_REASON_SCAN_IPS_DROP_ALERT 6014
253. ACPF_REASON_SCAN_WEB_ACCESS 6015
254. ACPF_REASON_SCAN_APP_DETECT 6016
255. ACPF_REASON_SCAN_APP_WARN 6017
256. ACPF_REASON_SCAN_APP_ALERT 6018
257. ACPF_REASON_SCAN_APP_DROP 6019
258. ACPF_REASON_SCAN_APP_DROP_WARN 6020
259. ACPF_REASON_SCAN_APP_DROP_ALERT 6021
260. ACPF_REASON_SCAN_URLCAT_DETECT 6022
261. ACPF_REASON_SCAN_URLCAT_WARN 6023
262. ACPF_REASON_SCAN_URLCAT_ALERT 6024
263. ACPF_REASON_SCAN_URLCAT_DROP 6025
264. ACPF_REASON_SCAN_URLCAT_DROP_WARN 6026
265. ACPF_REASON_SCAN_URLCAT_DROP_ALERT 6027
266. ACPF_REASON_SCAN_VIRUS_DETECT 6028
267. ACPF_REASON_SCAN_VIRUS_DETECT_ATD 6029
268. ACPF_REASON_SCAN_NOT_POSSIBLE_CLOSE 6030
269. ACPF_REASON_SCAN_NOT_POSSIBLE_OPEN 6031
270. ACPF_REASON_SCAN_ERROR_CLOSE 6032
271. ACPF_REASON_SCAN_ERROR_OPEN 6033
272. ACPF_REASON_SCAN_VIRUS_DETECT_ATD_DELIVERED 6034
273. ACPF_REASON_SCAN_REPU_DNS_REQ 6035
274. ACPF_REASON_SCAN_REPU_SINKHOLE_ACCESS 6036
275. ACPF_REASON_SCAN_REPU_HOSTNAME_ACCESS 6037
276.  

intno-

src_ip_nat

source IP after NAT

string

yes

"0.0.0.0"

dst_ip_nat

destination IP after NAT

string

yes

"0.0.0.0"

fwd_bytes

number of bytes sent in the session's forward direction

int

yes

key is not in JSON

rev_bytes

number of bytes sent in the session's reverse direction

int

yes

key is not in JSON

fwd_packets

number of packets sent in the session's forward direction

int

yes

key is not in JSON

rev_packets

number of packets sent in the session's reverse direction

int

yes

key is not in JSON

user

username

string

yes

key is not in JSON

tunnel

tunnel name

string

yes

key is not in JSON

ip_proto

numeric IP protocol id (see https://en.wikipedia.org/wiki/List_of_IP_protocol_numbers)

int

no

 

protos

detected application protocols, from most specific to least specific (e.g., ["HTTPS direct", "HTTPS", "All HTTP protocols"]

array of strings

yes

key is not in JSON

contents

detected content types, from most specific to least specific (e.g., [ "HTML", "Web Files"]

array of strings

yes

key is not in JSON

host

FUTURE FIELD

---

referrer

FUTURE FIELD

---

url_cat

FUTURE FIELD

---
agentFUTURE FIELD---
Example
{
    "version": 1,
    "timestamp": 1606230141,
    "action": "End",
    "duration": 8436,
    "src_iface": "eth0",
    "src_ip": "10.17.35.171",
    "src_port": 40532,
    "src_mac": "00:0c:29:9a:0a:78",
    "dst_iface": "eth0",
    "dst_ip": "193.99.144.85",
    "dst_port": 443,
    "dst_mac": "00:0c:29:00:d6:00",
    "fw_rule": "BOX-LAN-2-INTERNET",
    "app_rule": "<App>:ALL-APPS",
    "fw_info": 2007,
    "src_ip_nat": "10.17.35.175",
    "dst_ip_nat": "193.99.144.85",
    "fwd_bytes": 7450,
    "rev_bytes": 561503,
    "fwd_packets": 129,
    "rev_packets": 439,
    "ip_proto": 6,
    "protos": [
        "HTTPS direct",
        "HTTPS",
        "All HTTP protocols"
    ],
    "apps": [
        "Web browsing"
    ]
}
Logstash Log
{
    "@timestamp" => 2021-12-27T10:55:16.660Z,
          "beat" => {
         "version" => "6.2.4",
        "hostname" => "cgf-scout-int",
            "name" => "cgf-scout-int"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
       "product" => "ngfw",
    "input_type" => "log",
          "type" => "ngfw-act",
    "prospector" => {
        "type" => "udp"
    },
            "sn" => "4f94abdf7a8c465fa2cd76f680ecafd1",
       "message" => {
          "rev_bytes" => 748,
            "fw_rule" => "Internet",
           "ip_proto" => 6,
           "contents" => [
            [0] "HTML",
            [1] "Web Files"
        ],
            "src_mac" => "fc:bd:67:a5:f0:0f",
             "src_ip" => "10.11.1.4",
           "dst_port" => 80,
          "fwd_bytes" => 421,
          "dst_iface" => "dhcp",
           "src_port" => 40252,
            "dst_mac" => "00:22:48:2d:11:74",
               "apps" => [
            [0] "Web browsing"
        ],
          "src_iface" => "dhcp",
           "duration" => 9261,
            "version" => 1,
             "action" => "End",
             "dst_ip" => "89.238.73.97",
           "app_rule" => "<App>:BlockMacros",
             "protos" => [
            [0] "HTTP direct",
            [1] "HTTP",
            [2] "All HTTP protocols"
        ],
            "fw_info" => 0,
         "dst_ip_nat" => "89.238.73.97",
         "src_ip_nat" => "10.11.0.4",
        "fwd_packets" => 5,
          "timestamp" => 1640602516,
        "rev_packets" => 5
    },
      "@version" => "1"
}

Web Messages

(type = ngfw-wf)

JSON Fields

Field Name

Description

Datatype

Optional

Null Value

timestamp

Unix time stamp indicating when the request passed through the firewall

int

no

-

version

Message format version. Currently 1.

int

no

-

traffic_type

Always "0"

int

no

-

action

Numeric ID of the action that was performed by the firewall: "0" for allowed and "1" for blocked

int

no

-

source_ip

The source IP address of the request

string

no

-

source_port

The source port of the request

int

no

-

destination_ip

The destination IP address of the request

string

no

-

destination_port

The destination port of the request

int

no

-

method

The method of the request (e.g., "GET", "POST", "PUT", "CONNECT")

string

yes

key is not in JSON

status_code

The HTTP status code of the response

int

yes

"0"

user_agent

The User-Agent header request header field

string

yes

key is not in JSON

content_type

The Content-Type response header field

string

yes

key is not in JSON

name

The full URI of the request

string

yes

key is not in JSON

size

The Content-Length response header field

int

yes

"0"

domain

The "Referer" request header field
or
The host part of the request URI

string

yes

key is not in JSON

category

Numeric ID of the detected url category:

  • "1" - "96": see cf_budd.xml
  • Please treat any other value, or an empty array as "unknown"

int

yes

key is not in JSON

user

The username of the user performing the request
or
The source IP address of the request

string

no

-

user_type

1 if "user" is a username
0 if "user" is an IP address

int

no

-

fw_rule

The firewall rule that has been applied to the request

string

yes

key is not in JSON

app_rule

The application rule that has been applied to the request

string

yes

key is not in JSON

Examples
{
    "timestamp": 1526383397000,
    "traffic_type": 0,
    "action": 0,
    "source_ip": "192.168.42.124",
    "source_port": "50646",
    "destination_ip": "193.99.144.85",
    "destination_port": "443",
    "method": "GET",
    "status_code": "0",
    "user_agent": "wget/1.19.2 (linux-gnu)",
    "content_type": "text/html; charset=UTF-8",
    "name": "https://www.heise.de/",
    "size": 59558,
    "domain": "www.heise.de",
    "category": [
        "79"
    ],
    "user": "192.168.42.124",
    "user_type": 0,
    "fw_rule": "LAN-2-INTERNET",
    "app_rule": "<App>:<pass-no-match>"
}
{
    "timestamp": 1526377804000,
    "traffic_type": 0,
    "action": 0,
    "source_ip": "192.168.42.105",
    "source_port": "50159",
    "destination_ip": "216.58.207.67",
    "destination_port": "443",
    "method": "GET",
    "status_code": "0",
    "user_agent": "mozilla/5.0 (windows nt 6.1) applewebkit/537.36 (khtml, like gecko) chrome/66.0.3359.139 safari/537.36",
    "content_type": "",
    "name": "https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=66",
    "size": 0,
    "domain": "clientservices.googleapis.com",
    "category": [
    ],
    "user": "192.168.42.105",
    "user_type": 0,
    "fw_rule": "LAN-2-INTERNET",
    "app_rule": "<App>:<pass-no-match>"
}
Logstash Log
{
    "@timestamp" => 2021-12-27T10:55:38.870Z,
          "beat" => {
         "version" => "6.2.4",
        "hostname" => "cgf-scout-int",
            "name" => "cgf-scout-int"
    },
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
       "product" => "ngfw",
    "input_type" => "log",
          "type" => "ngfw-wf",
    "prospector" => {
        "type" => "udp"
    },
            "sn" => "4f94abdf7a8c465fa2cd76f680ecafd1",
       "message" => {
            "traffic_type" => 0,
          "destination_ip" => "18.67.76.12",
                    "user" => "10.11.1.4",
                 "fw_rule" => "Internet",
        "destination_port" => "443",
            "content_type" => "text/html; charset=UTF-8",
             "status_code" => "0",
                 "version" => 1,
                  "action" => 0,
                    "name" => "https://www.barracuda.com/",
                  "method" => "GET",
                    "size" => 0,
                "category" => [
            [0] "82"
        ],
               "user_type" => 0,
                "app_rule" => "<App>:BlockMacros",
                  "domain" => "www.barracuda.com",
               "source_ip" => "10.11.1.4",
             "source_port" => "45796",
              "user_agent" => "mozilla/5.0 (macintosh; u; intel mac os x; en)",
               "timestamp" => 1640602538000
    },
      "@version" => "1"
} 

Threat Log

(type = ngfw-threat)

Filebeat Configuration
JSON Fields

Field Name

Description

Datatype

Optional

Null Value

date

Date

int

no

-

time

Time

int

no

-

version

Message format version. Currently 1.

int

no

-

severity

part of syslog header (e.g.: Warning)

string

no

-

timezone

part of syslog header

int

no

-

component

Future use. Currently „firewall“

string

no

-

operation

The operation that has been performed by the firewall ( “Allow” “Block”)

string

no

-

type

Type of threat ("Virus", "ATD", " IPS", "Reputation")

string

no

-

trans_proto

Transport protocol of the session that caused the threat hit ("TCP", "UDP", ...)

string

no

-

src_ip

Source IP of the session

string

no

-

dst_ip

Destination IP of the session

string

no

-

port

Port of the session

int

no

-

app_proto

Detected application target. E.g., URL or file name (e.g.: 86.exe)

string

yes

key is not in JSON

description

Description of the threat (e.g.: “ID: 1059898 EXPLOIT Generic HTML Threat -21”)

string

yes

key is not in JSON

user

Username of the user that caused the threat hit; only present if known by the fw engine

string

yes

key is not in JSON

threat_severity

A number representing the severity of the threat ["0" (Informational),"1" (Low),"2" (Medium),"3" (High)]

int

no

-

ips_category

The category of an IPS hit; only present for IPS hits (e.g.: "Web Attack")

string

yes

key is not in JSON

Examples
{
    "app_target": "eicar.exe",
    "component": "firewall",
    "date": "2018 05 15",
    "description": "Eicar-Test-Signature",
    "dst_ip": "10.0.6.96",
    "operation": "Block",
    "port": "443",
    "severity": "Warning",
    "src_ip": "10.17.35.169",
    "threat_severity": "3",
    "time": "15:42:27",
    "timestamp": "2018-05-15T15:42:27+00:00",
    "timezone": "+00:00",
    "trans_proto": "TCP",
    "type": "Virus",
    "user": "user42"
}
{
    "app_target": "boese.pdf",
    "component": "firewall",
    "date": "2018 05 15",
    "description": "ad43f5fc1d679c8d766824abb41b2b28b364c3c8;.pdf",
    "dst_ip": "103.248.176.78",
    "operation": "Block",
    "port": "80",
    "severity": "Warning",
    "src_ip": "10.17.35.169",
    "threat_severity": "3",
    "time": "15:42:32",
    "timestamp": "2018-05-15T15:42:32+00:00",
    "timezone": "+00:00",
    "trans_proto": "TCP",
    "type": "ATD",
    "user": "user42"
}
{
    "component": "firewall",
    "date": "2018 05 15",
    "description": "ID: 1054837 WEB Remote File Inclusion /etc/passwd",
    "dst_ip": "81.19.145.78",
    "ips_category": "Web Attack",
    "operation": "Block",
    "port": "80",
    "severity": "Warning",
    "src_ip": "10.17.35.169",
    "threat_severity": "3",
    "time": "15:46:06",
    "timestamp": "2018-05-15T15:46:06+00:00",
    "timezone": "+00:00",
    "trans_proto": "TCP",
    "type": "IPS",
    "user": "user45"
}
Logstash Log
{
          "beat" => {
         "version" => "6.2.4",
        "hostname" => "cgf-scout-int",
            "name" => "cgf-scout-int"
    },
       "product" => "ngfw",
        "source" => "/var/phion/logs/box_Firewall_threat.log",
          "type" => "ngfw-threat",
        "offset" => 110126,
    "prospector" => {
        "type" => "log"
    },
      "@version" => "1",
    "@timestamp" => 2021-12-27T10:55:16.390Z,
          "tags" => [
        [0] "beats_input_codec_plain_applied"
    ],
    "input_type" => "log",
            "sn" => "4f94abdf7a8c465fa2cd76f680ecafd1",
       "message" => {
              "operation" => "Allow",
           "ips_category" => "Virus/Worm",
                   "time" => "10:55:07",
               "timezone" => "+00:00",
                   "port" => "443",
                 "src_ip" => "10.11.1.4",
                 "dst_ip" => "89.238.73.97",
             "app_target" => "www.eicar.org",
            "trans_proto" => "TCP",
                   "type" => "IPS",
                "version" => 1,
               "severity" => "Warning",
              "component" => "firewall",
            "description" => "ID: 1051723 VIRUS Eicar test string",
                   "date" => "2021 12 27",
        "threat_severity" => "3",
              "timestamp" => "2021-12-27T10:55:07+00:00"
    }
}

Version File

JSON Fields

Field Name

Description

Optional

Null Value

version

Message format version. Currently 1.

no

-

ip_addr

Management IP of the box

no

-

model

Hardware/Cloud model of the box

no

-

firmware

Firmware version

no

-

hostname

The host name

no

-

serial

The serial of the box

no

-

domain

Domain name

yes

key is not in JSON

box

Name of the box

no

-

cluster

Name of the cluster that the box is assigned to. Optional, only present on boxes that are managed by a CC.

yes

key is not in JSON

range

Name (a numeric id) of the range that the box is assigned to. Optional, only present on boxes that are managed by a CC.

yes

key is not in JSON

box_description

A textual description of the box. Optional.

yes

key is not in JSON

cluster_description

A textual description of the cluster. Optional.

yes

key is not in JSON

range_description

A textual description of the range. Optional.

yes

key is not in JSON

brs_type

Always "version"

no

-

brs_index

Always "version"

no

-

brs_version

Unix time stamp of the last update

no

-

geo_latitude

Geo IP latitude. Optional. Double value.

yes

key is not in JSON

geo_longitude

Geo IP longitude. Optional. Double value.

yes

key is not in JSON

geo_country

"Located in Country" setting from box properties. Optional.

yes

key is not in JSON

geo_location

"Appliance Location" setting from box properties. Optional.

yes

key is not in JSON

geo_timezone

"Appliance Timezone" setting from box properties. Optional.

yes

key is not in JSON

geo_position

"GPS Coordinates" setting from box properties. Optional.

yes

key is not in JSON

Examples
{
    "ip_addr": "10.17.68.110",
    "model": "vf1000",
    "firmware": "GWAY-7.2.1-115.nightbuild",
    "domain": "test.example.com",
    "hostname": "box71",
    "serial": "904646",
    "box": "box71",
    "box_description": "bobobo",
    "brs_type": "version",
    "brs_index": "version",
    "brs_version": 1526386796
}
{
    "ip_addr": "10.17.35.173",
    "model": "vf1000",
    "firmware": "GWAY-7.2.1-123.nightbuild",
    "hostname": "managed01",
    "serial": "976524",
    "box": "managed01",
    "cluster": "clstr",
    "range": "42",
    "box_description": "qwerty",
    "cluster_description": "bab",
    "range_description": "aba",
    "brs_type": "version",
    "brs_index": "version",
    "brs_version": 1526358967
}
{
    "ip_addr": "10.17.35.168",
    "model": "vf1000",
    "firmware": "GWAY-7.2.1-127.nightbuild",
    "domain": "BRStest.local",
    "hostname": "BRStest2",
    "serial": "985753",
    "box": "BRStest2",
    "cluster": "BRS",
    "range": "20",
    "cluster_description": "BRS test boxes",
    "range_description": "real 17.33er boxes",
    "brs_type": "version",
    "brs_index": "version",
    "brs_version": 1526359051
}
}
Last updated on