Sophos XG Firewall Web Interface Reference and Admin Guide v16.5

| Appendix A - Logs | 552

Message ID

01301

01601

02001

02002

03001

04001

05001

05051

05101

05151

05201

05301

05401

Message

Fragmented traffic denied

Invalid fragmented traffic denied

Local ACL traffic allowed

Local ACL traffic denied

DoS attack dropped

ICMP-redirected packet dropped

Source-routed packet dropped

Foreign host denied

IPMAC pair denied

IP Spoof denied

SSL VPN resource access denied

ARP Flood traffic denied

Traffic for virtual host <virtualhostname> is denied. No

Internal server is available to process the traffic.

Sample Logs:

device="SFW" date=2017-01-31 time=14:16:19 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=010101600001 log_type="Firewall" log_component="Firewall

Rule" log_subtype="Allowed" status="Allow" priority=Information duration=30 fw_rule_id=2 policy_type=2 user_name="jsmith" user_gp="Open Group" iap=1 ips_policy_id=0 appfilter_policy_id=1 application="Youtube

Video Streaming" application_risk=3 application_technology="Browser Based" application_category="Streaming

Media" in_interface="PortA" out_interface="PortB" src_mac=00: 0:00: 0:00: 0 src_ip=10.198.47.71

src_country_code=R1 dst_ip=4.2.2.2 dst_country_code=USA protocol="UDP" src_port=59859 dst_port=53 sent_pkts=1 recv_pkts=1 sent_bytes=77 recv_bytes=105 tran_src_ip=125.18.184.56 tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="185246656" vconnid="" hb_health="No Heartbeat"

Module-specific Fields

Data Fields

status duration fw_rule_id user_name user_group iap ips_policy_id appfilter_policy_id application

Type

string integer integer string string integer integer

Integer string

Description

Ultimate status of traffic – Allowed or Denied

Durability of traffic (seconds)

Firewall Rule ID which is applied on the traffic

User name

Group name to which the user belongs

Internet Access policy ID applied on the traffic

IPS policy ID applied on the traffic

Application Filter policy applied on the traffic

Application name

Data Fields

application_risk application_technology

Type

integer string application_category in_interface out_interface src_ip src_mac src_country_code dst_ip dst_country_code protocol src_port dst_port icmp_type icmp_code sent_pkts received_pkts sent_bytes recv_bytes trans_src_ ip integer integer integer integer integer integer integer integer integer integer string string string string string string string string

| Appendix A - Logs | 553

Description

Risk level assigned to the application

Possible values:

1 - VERY LOW

2 - LOW

3 - MEDIUM

4 - HIGH

5 - VERY HIGH

Technology of the application

Possible values:

Browser Based

Client Server

Network Protocol

P2P

Name of the category under which application falls

Interface for incoming traffic, e.g., Port A

Interface for outgoing traffic, e.g., Port B

Original source IP address of traffic

Original source MAC address of traffic

Code of the country to which the source IP belongs

Original destination IP address of traffic

Code of the country to which the destination IP belongs

Protocol number of traffic

Original source port of TCP and UDP traffic

Original destination port of TCP and UDP traffic

ICMP type of ICMP traffic

ICMP code of ICMP traffic

Total number of packets sent

Total number of packets received

Total number of bytes sent

Total number of bytes received

Translated source IP address for outgoing traffic. It is applicable only in route mode.

Possible values

"" - When appliance is deployed in Bridge mode or source IP translation is not done.

IP Address - IP address with which the original source IP is translated.