Read a Log Message
Each log message generated by your Firebox includes a string of data about the traffic on your Firebox. If you review the log messages in Traffic Monitor, the details in the data have different colors applied to them to help visually distinguish each detail.
Here is an example of one traffic log message from Traffic Monitor:
2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp 42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="126.96.36.199" tcp_info="offset 10 S 2982213793 win 2105" msg_id="3000-0148"
When you read log messages, you can see details about when the connection for the traffic occurred, the source and destination of the traffic, as well as the disposition of the connection, and other details.
Each log message includes these details:
The log message line begins with a time stamp that includes the time and date that the log message was created. The time stamp uses the time zone and current time from the Firebox.
This is the time stamp from the example log message above:
FireCluster Member Information
If the log message is from a Firebox that is a member of a FireCluster, the log message includes the cluster member number for the Firebox.
This is the FireCluster member information from the example log message above:
Each log message indicates the disposition of the traffic: Allow or Deny. If the log message is for traffic that was managed by a proxy policy instead of a packet filter policy, the traffic may be marked Allow even though the packet body was stripped or altered by the proxy action.
This is the disposition from the example log message above:
Source and Destination Addresses
After the disposition, the log message shows the actual source and destination IP addresses of the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the log message.
These are the source and destination addresses from the example log message above:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the log message are the service and protocol that managed the traffic. The service is specified based on the protocol and port the traffic used, not the name of the policy that managed the traffic. If the service cannot be determined, the port number appears instead.
These are the service and protocol from the example log message above:
Source and Destination Ports
The next details in the log message are the source and destination ports. The source port identifies the return traffic. The destination port determines the service used for the traffic.
These are the source and destination ports from the example log message above:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are the physical or virtual interfaces that handle the connection for this traffic.
These are the source and destination interfaces from the example log message above:
3-Trusted and 1-WCI
This is the action applied to the traffic connection. For proxy actions, this indicates whether the contents of the packet are allowed, dropped, or stripped.
This is the connection action from the example log message above:
The two packet length numbers indicate the packet length (in bytes) and the TTL (Time To Live) value. TTL is a metric used to prevent network congestion by only allowing the packet to pass through a specific number of routing devices before it is discarded.
These are the packet length numbers from the example log message above:
60 (packet length) and 63 (TTL)
This is the name of the policy on your Firebox that handles the traffic. The number (-00) is automatically appended to policy names, and is part of the internal reference system on the Firebox.
This is the policy name from the example log message above:
This section of the log message shows the process that handles the traffic.
This is the process from the example log message above:
This is the return code for the packet, which is used in reports.
This is the return code from the example log message above:
This is the IP address that appears in place of the actual source IP address of the traffic after it leaves the Firebox interface and the NAT rules have been applied. A destination NAT IP address can also be included.
This is the NAT address from the example log message above:
The tcp_info detail includes values for the offset, sequence, and window size for the packet that initiates the connection. The packet size details that are included depend on the protocol type.
This is the packet size from the example log message above:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of log message includes a unique message identification number. When you review a log message in Traffic Monitor, the message ID number can appear as the value for either the msg_id= detail or the id= detail. In Log Manager, the message ID number appears as the value for the id= detail.
Some log messages do not include a message ID number. Only log messages that are assigned a message ID number are included in the Log Catalog.
The is the message ID number from the example log message above:
The message ID numbers included in the WatchGuard Log Catalog do not include the hyphens that appear in the message ID number in Traffic Monitor and Log Manager. To make sure you can locate the message ID number in the WatchGuard Log Catalog, when you search the WatchGuard Log Catalog for the message ID, remove the hyphen from the message ID number.
For example, to search for information about message ID number 3000-0148, in the WatchGuard Log Catalog, in the Search Log Catalog text box, type 300000148.