Each log message generated by your Firebox includes a string of data about the traffic on your Firebox. If you review the log messages in Traffic Monitor, the details in the data have different colors applied to them to help visually distinguish each detail.
Here is an example of one traffic log message from Traffic Monitor:
2014-07-02 17:38:43 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp 42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10 S 2982213793 win 2105" msg_id="3000-0148"
When you read log messages, you can see details about when the connection for the traffic occurred, the source and destination of the traffic, as well as the disposition of the connection, and other details.
Each log message includes these details:
Time Stamp
The log message line begins with a time stamp that includes the time and date that the log message was created. The time stamp uses the time zone and current time from the Firebox.
This is the time stamp from the example log message above:
2014-07-02 17:38:43
FireCluster Member Information
If the log message is from a Firebox that is a member of a FireCluster, the log message includes the cluster member number for the Firebox.
This is the FireCluster member information from the example log message above:
Member2
Disposition
Each log message indicates the disposition of the traffic: Allow or Deny. If the log message is for traffic that was managed by a proxy policy instead of a packet filter policy, the traffic may be marked Allow even though the packet body was stripped or altered by the proxy action.
This is the disposition from the example log message above:
Allow
Source and Destination Addresses
After the disposition, the log message shows the actual source and destination IP addresses of the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the log message.
These are the source and destination addresses from the example log message above:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the log message are the service and protocol that managed the traffic. The service is specified based on the protocol and port the traffic used, not the name of the policy that managed the traffic. If the service cannot be determined, the port number appears instead.
These are the service and protocol from the example log message above:
webcache/tcp
Source and Destination Ports
The next details in the log message are the source and destination ports. The source port identifies the return traffic. The destination port determines the service used for the traffic.
These are the source and destination ports from the example log message above:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are the physical or virtual interfaces that handle the connection for this traffic.
These are the source and destination interfaces from the example log message above:
3-Trusted and 1-WCI
Connection Action
This is the action applied to the traffic connection. For proxy actions, this indicates whether the contents of the packet are allowed, dropped, or stripped.
This is the connection action from the example log message above:
Allowed
Packet Length
The two packet length numbers indicate the packet length (in bytes) and the TTL (Time To Live) value. TTL is a metric used to prevent network congestion by only allowing the packet to pass through a specific number of routing devices before it is discarded.
These are the packet length numbers from the example log message above:
60 (packet length) and 63 (TTL)
Policy Name
This is the name of the policy on your Firebox that handles the traffic. The number (-00) is automatically appended to policy names, and is part of the internal reference system on the Firebox.
This is the policy name from the example log message above:
(Outgoing-proxy-00)
Process
This section of the log message shows the process that handles the traffic.
This is the process from the example log message above:
proc_id="firewall"
Return Code
This is the return code for the packet, which is used in reports.
This is the return code from the example log message above:
rc="100"
NAT Address
This is the IP address that appears in place of the actual source IP address of the traffic after it leaves the Firebox interface and the NAT rules have been applied. A destination NAT IP address can also be included.
This is the NAT address from the example log message above:
src_ip_nat="69.164.168.163"
Packet Size
The tcp_info detail includes values for the offset, sequence, and window size for the packet that initiates the connection. The packet size details that are included depend on the protocol type.
This is the packet size from the example log message above:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of log message includes a unique message identification number. When you review a log message in Traffic Monitor, the message ID number can appear as the value for either the msg_id= detail or the id= detail. In Log Manager, the message ID number appears as the value for the id= detail.
Some log messages do not include a message ID number. Only log messages that are assigned a message ID number are included in the Log Catalog.
The is the message ID number from the example log message above:
msg_id="3000-0148"
Source User and Destination User
At the end of each log message for traffic from an authenticated user, you can see the user name associated with the IP addresses, for example src_user="TestUser@Firebox-DB". When you review a log message, the source user appears as the value for the src_user detail and the destination user appears as the value for the dst_user detail.
If you find that the IP address is associated with a different user than you expect, investigate whether something else, such as the SSO Agent, SSO Client, or a mobile VPN client is configured to perform user authentication for that client computer.
For more information about some of the log messages generated by your Firebox, see the Fireware Log Catalog, available on the WatchGuard Firebox and Dimension documentation page.
The message ID numbers included in the Fireware Log Catalog do not include the hyphens that appear in the message ID number in Traffic Monitor and Log Manager. If you search the Log Catalog for a message ID, remove the hyphen from the message ID number.