Custom Reports - Field Descriptions

Last updated on 2022-01-03 04:29:45

Firewall Activity Log

Field	Description	Value	Comment
Application	Detected application	string	Application detection must be active.
Application Protocols	Detected application protocol (e.g.: ["HTTPS direct", "HTTPS", “DNS” ]	string
Application Rule	Application rule name (e.g.: "<App>:ALL-APPS")	string
Contents	Detected content types. (e.g.: [ "HTML", "Web Files"]	string
Destination Interface	Destination interface name (e.g.: ‘’ eth1 ‘’)	string
Destination IP	Destination IP address	string
Destination GeoIP	Destination country (e.g.: “US”)	string
Destination GeoLatitude	Destination coordinates latitude (e.g.: «-98.4935»)	numeric
Destination GeoLongitude	Destination coordinates longitude (e.g.: «52.152.11»)	numeric
Destination NAT IP	Destination NAT	string
Destination MAC	Mac address of destination	string
Destination Port	Destination port	numeric
Duration	Duration in milliseconds	numeric	See more details on browse time.
Forwarded Bytes	Number of bytes sent in the session's forward direction	numeric	In bytes
Forwarded Packets	Number of packets sent in the session's forward direction	numeric
Firewall Info	Detailed information about the action performed by the firewall ACPF ID.	string	See details on Filebeat description.
Firewall Rule	Matching firewall rule name	string
Serial/Device	Firewall name (e.g.: “1-HQ-HQ-CGF1”)	string
Source Interface	Source interface name (e.g.: ‘’ eth1‘’)	string
Source IP	Source IP address	string
Source GeoIP	Source country (e.g.: “US”)	string
Source GeoLatitude	Source coordinates latitude (e.g.: «-98.4935»)	numeric
Source GeoLongitude	Source coordinates longitude (e.g.: «52.152.11»)	numeric
Source MAC	MAC address of the source	string
Source Port	Source port	numeric
Source NAT IP	Source NAT IP	string
Received Bytes	Number of bytes received in the session's forward direction	numeric
Received Packets	Number of packets received in the session's forward direction	numeric
Timestamp / Date	Date (e.g.: “2021-12-27 14:16:48+00:00”)	numeric
User	Username if available	string

Web Messages

(type = ngfw-wf)

Field	Description	Value	Comment
Action	Action performed on the firewall “Allow” or “Block”	numeric	Allow = 0, Block =1
Application Rule	Application rule name (e.g.: "<App>:ALL-APPS")	string
Category	Web category (e.g.: “Computing & Technology”)	string
Content Type	The content-type response header field	string
Destination GeoIP	Destination country (e.g.: “US”)	string
Destination GeoLatitude	Destination coordinates latitude (e.g.: «-98.4935»)	numeric
Destination GeoLongitude	Destination coordinates longitude (e.g.: «52.152.11»)	numeric
Destination Port	Destination port	numeric
Domain	The "Referer" request header field or the host part of the request URI	string	Can be compared to URL to verify if the site was requested directly or through a link from other website site.
Firewall Rule	Matching firewall rule name	string
Method	The method of the request (e.g.: "GET", "POST", "PUT", "CONNECT")	string
Size	The content-length response header field	numeric
Serial/Device	Firewall name (e.g.: “1-HQ-HQ-CGF1”)	string
Source IP	Source IP address	string
Source GeoIP	Source country (e.g.: “US”)	string
Source GeoLatitude	Source coordinates latitude (e.g.: «-98.4935»)	numeric
Source GeoLongitude	Source coordinates longitude (e.g.: «52.152.11»)	numeric
Source Port	Source port	numeric
Status Code	The HTTP status code of the response	numeric
Super Category	Web general category (e.g.: “Technology”)	string
Timestamp / Date	Date (e.g.: “2021-12-27 14:16:48+00:00”)	numeric
Traffic Type	N/A always 0	numeric
URI (Name)	Name (full URI request)	string
URL	Reserved for future use	string
User	The username of the user performing the request or source IP address of the request	string
User Agent	User agent	string
User Type	1 if "user" is a username 0 if "user" is an IP address	numeric

Threat Log

Field	Description	Value	Comment
Application Target	Detected application	string	Application detection must be active.
Component	Reserved for future use (“firewall”)	string
Description	Description of the threat (e.g.: “ ID: 1059898 EXPLOIT Generic HTML Threat -21 ")	string
Destination IP	Destination IP address	string
Destination GeoIP	Destination country (e.g.: “US”)	string
Destination GeoLatitude	Destination coordinates latitude (e.g.: «-98.4935»)	numeric
Destination GeoLongitude	Destination coordinates longitude (e.g.: «52.152.11»)	numeric
IPS Category	The category of an IPS hit ( e.g.: “Web Attack”)	string	Only present for IPS hits.
Operation	The operation that has been performed by the firewall (e.g.: “Allow”, “Block”)	string
Port	Destination port	numeric
Severity	Duration in milliseconds	string
Serial/Device	Firewall name (e.g.: “1-HQ-HQ-CGF1”)	string
Source IP	Source IP address	string
Source GeoIP	Source country (e.g.: “US”)	string
Source GeoLatitude	Source coordinates latitude (e.g.: «-98.4935»)	numeric
Source GeoLongitude	Source coordinates longitude (e.g.: «52.152.11»)	numeric
Threat Severity	A number representing the severity of the threat .	numeric	“0”= Info “1”=Low “2”=Medium “3”= High
Time Zone	Time zone (e.g.: +02:00)	string
Transport Protocol	Transport protocol of the session that caused the threat hit (e.g.: “TCP”, “UDP” )	string
Timestamp / Date	Date (e.g.: “2021-12-27 14:16:48+00:00”)	numeric
Type	Type of threat (e.g.: “Virus”, “ATD”, “IPS”, “Reputation”, …. )	string
User	Username if available	string

SD WAN Tunnels

Field	Description	Value
Geo Latitude	Coordinates latitude (e.g.: «-98.4935»)	numeric
Geo Longitude	Coordinates longitude (e.g.: «52.152.11»)	numeric
Serial/Device	Firewall name (e.g.: “1-HQ-HQ-CGF1”)	string
Timestamp / Date	Date (e.g.: “2021-12-27 14:16:48+00:00”)	numeric
Tunnelname	Tunnel name including TI ID (e.g.: “FW2FW-1-HQ-BO:9”)	string
Tunnelstate	Tunnel state (e.g.: “OK”, “ERROR” )	string
Effective Bandwidth Upstream min.	Effective bandwidth upstream minimum (bit/s)	numeric
Effective Bandwidth Upstream avg.	Effective bandwidth upstream average (bit/s)	numeric
Effective Bandwidth Upstream max.	Effective bandwidth upstream maximum (bit/s)	numeric
Effective Bandwidth Downstream min.	Effective bandwidth downstream minimum (bit/s)	numeric
Effective Bandwidth Downstream avg.	Effective bandwidth downstream average (bit/s)	numeric
Effective Bandwidth Downstream max.	Effective bandwidth downstream maximum (bit/s)	numeric
Latency min.	Latency minimum (ms)	numeric
Latency avg.	Latency average (ms)	numeric
Latency max.	Latency maximum (ms)	numeric
Usage Standard Upstream min.	Usage standard upstream minimum (bytes)	numeric
Usage Standard Upstream avg.	Usage standard upstream average (bytes)	numeric
Usage Standard Upstream max.	Usage standard upstream minimum (bytes)	numeric
Usage Standard Downstream min.	Usage standard downstream minimum (bytes)	numeric
Usage Standard Downstream avg.	Usage standard downstream average (bytes)	numeric
Usage Standard Downstream max.	Usage standard downstream maximum (bytes)	numeric
Usage NoDelay Upstream min.	Usage NoDelay upstream minimum (bytes)	numeric
Usage NoDelay Upstream min.	Usage NoDelay upstream average (bytes)	numeric
Usage NoDelay Upstream min.	Usage NoDelay upstream maximum (bytes)	numeric
Usage NoDelay Downstream min.	Usage NoDelay downstream minimum (bytes)	numeric
Usage NoDelay Downstream avg.	Usage NoDelay downstream average (bytes)	numeric
Usage NoDelay Downstream max.	Usage NoDelay downstream maximum (bytes)	numeric

SD WAN Tunnels Applications and Protocols

Field	Description	Value	Comment
Application	Detected application	string	Application detection must be active.
Protocols	Detected application protocol (e.g.: ["HTTPS direct", "HTTPS", “DNS” ]	string
Inbound Bytes	Inbound traffic in bytes	numeric
Outbound Bytes	Outbound traffic in bytes	numeric
Serial/Device	Firewall name (e.g.: “1-HQ-HQ-CGF1”)	string
Timestamp / Date	Date (e.g.: “2021-12-27 14:16:48+00:00”)	numeric
Tunnelname	Tunnel name including TI ID (e.g.: “FW2FW-BO1-CGF1-HQ-CGF1:9”)	string