Each log message generated by your Firebox includes a string of data about the traffic on your Firebox. If you review the log messages in Traffic Monitor, the details in the data have different colors applied to them to help visually distinguish each detail.
Here are examples of traffic log message from Traffic Monitor:
2024-03-29 15:00:50 Member2 Allow 192.168.228.202 10.0.1.1 webcache/tcp 42973 8080 3-Trusted 1-WCI Allowed 60 63 (Outgoing-proxy-00) proc_id="firewall" rc="100" src_ip_nat="69.164.168.163" tcp_info="offset 10 S 2982213793 win 2105" msg_id="3000-0148"
2024-03-29 18:00:54 Allow 10.0.1.2 100.100.100.11 http/tcp 42017 80 Trusted External Allowed (HTTP-proxy.1-00) proc_id="firewall" rc="406" msg_id="3000-0176" src_ip_nat="100.100.100.10" flags="SDdF" duration="14" sent_pkts="10" rcvd_pkts="5" sent_bytes="564" rcvd_bytes="785"
2024-04-01 23:39:46 Deny 10.0.1.131 10.0.1.1 echo-request/icmp Trusted Firebox Denied 84 64 (Ping-00) proc_id="firewall" rc="101" msg_id="3000-0148" type="8" duration="0" sent_pkts="1" rcvd_pkts="0" sent_bytes="84" rcvd_bytes="0"
When you read log messages, you can see details about when the connection for the traffic occurred, the source and destination of the traffic, as well as the disposition of the connection, and other details.
A log message might include these details:
Time Stamp
The log message line begins with a time stamp that includes the time and date that the log message was created. The time stamp uses the time zone and current time from the Firebox.
This is an example of a time stamp from the example log messages:
2024-03-29 15:00:50
FireCluster Member Information
If the log message is from a Firebox that is a member of a FireCluster, the log message includes the cluster member number for the Firebox.
This is an example of FireCluster member information from the example log messages:
Member2
Disposition
Each log message indicates the disposition of the traffic: Allow or Deny. If the log message is for traffic that was managed by a proxy policy instead of a packet filter policy, the traffic may be marked Allow even though the packet body was stripped or altered by the proxy action.
This is an example of disposition from the example log messages:
Allow
Source and Destination Addresses
After the disposition, the log message shows the actual source and destination IP addresses of the traffic. If NAT was applied to the traffic, the NAT addresses appear later in the log message.
This is an example of source and destination addresses from the example log messages:
192.168.228.202 and 10.0.1.1
Service and Protocol
The next entries in the log message are the service and protocol that managed the traffic. The service is specified based on the protocol and port the traffic used, not the name of the policy that managed the traffic. If the service cannot be determined, the port number appears instead.
This is an example of service and protocol from the example log messages:
webcache/tcp
Source and Destination Ports
The next details in the log message are the source and destination ports. The source port identifies the return traffic. The destination port determines the service used for the traffic.
This is an example of source and destination ports from the example log messages:
42973 and 8080
Source and Destination Interfaces
The source and destination interfaces appear after the destination port. These are the physical or virtual interfaces that handle the connection for this traffic.
This is an example of source and destination interfaces from the example log messages:
3-Trusted and 1-WCI
Connection Action
This is the action applied to the traffic connection. For proxy actions, this indicates whether the contents of the packet are allowed, dropped, or stripped.
This is an example of a connection action from the example log messages:
Allowed
Packet Length
The two packet length numbers indicate the packet length (in bytes) and the TTL (Time To Live) value. TTL is a metric used to prevent network congestion by only allowing the packet to pass through a specific number of routing devices before it is discarded.
This is an example of packet length numbers from the example log messages:
60 (packet length) and 63 (TTL)
Policy Name
This is the name of the policy on your Firebox that handles the traffic. The number (-00) is automatically appended to policy names, and is part of the internal reference system on the Firebox.
This is the policy name from the example log message above:
(Outgoing-proxy-00)
Process
This section of the log message shows the process that handles the traffic.
This is an example of a process from the example log messages:
proc_id="firewall"
Return Code
This is the return code for the packet, which is used in reports.
This is an example of a return code from the example log messages:
rc="100"
NAT Address
This is the IP address that appears in place of the actual source IP address of the traffic after it leaves the Firebox interface and the NAT rules have been applied. A destination NAT IP address can also be included.
This is an example of a NAT address from the example log messages:
src_ip_nat="69.164.168.163"
Packet Size
The tcp_info detail includes values for the offset, sequence, and window size for the packet that initiates the connection. The packet size details that are included depend on the protocol type.
This is an example of a packet size from the example log messages:
tcp_info="offset 10 S 2982213793 win 2105"
Message Identification Number
Each type of log message includes a unique message identification number. When you review a log message in Traffic Monitor, the message ID number can appear as the value for either the msg_id= detail or the id= detail. In Log Manager, the message ID number appears as the value for the id= detail.
Some log messages do not include a message ID number. Only log messages that are assigned a message ID number are included in the Log Catalog.
This is an example of a message ID number from the example log messages:
msg_id="3000-0148"
Source User and Destination User
At the end of each log message for traffic from an authenticated user, you can see the user name associated with the IP addresses, for example src_user="TestUser@Firebox-DB". When you review a log message, the source user appears as the value for the src_user detail and the destination user appears as the value for the dst_user detail.
If you find that the IP address is associated with a different user than you expect, investigate whether something else, such as the SSO Agent, SSO Client, or a mobile VPN client is configured to perform user authentication for that client computer.
Flags
In Fireware v12.10.3 or higher, flags includes additional information about the connection. Flags vary by log message type and protocol.
TCP traffic flags:
- S – New (not established) with no response (timeout)
- SR – New (not established) with negative response RST, or a new connection (not established) and denied by firewall policies
- SDdF– Established and normal termination by FIN
- SD – Established with timeout or terminated by RST, or an established connection denied by a security service, such as Intrusion Prevention Service (IPS)
UDP traffic flags:
- D – New with no response (traffic from only one direction) and timeout
- Dd – Established (traffic from both directions) and normal termination
This is an example of flag information from the example log messages:
flags="SDdf"
Connection Duration
In Fireware v12.10.3 or higher, duration is the time in seconds of the established connection.
This is an example of the amount of time from the example log messages:
duration="14"
Packets Sent
In Fireware v12.10.3 or higher, sent_pkts is the total number of packets the Firebox sends.
This is an example of packets sent from the example log messages:
sent_pkts="10"
Packets Received
In Fireware v12.10.3 or higher, rcvd_pkts is the total number of packets the Firebox receives.
This is an example of packets received from the example log messages:
rcvd_pkts="5"
ICMP Type Numbers
In Fireware v12.10.3 or higher, type is the ICMP type number the Firebox receives. For more information, go to ICMP Type Numbers.
This is an example of an ICMP type number from the example log messages:
type="8"
In Fireware v12.10.3 or higher, the Firebox uses the message ID number 3000-0148 for both FWAllow and FWDeny. Policies that you configure might deny FWDeny, as might Firebox internal policies. Fields can differ for traffic log messages with message ID 3000-0148. For example, FWAllow does not include the duration, sent_pkts, rcvd_pkts, or flags fields.
For more information about some of the log messages generated by your Firebox, see the Fireware Log Catalog, available on the WatchGuard Firebox and Dimension documentation page.
The message ID numbers included in the Fireware Log Catalog do not include the hyphens that appear in the message ID number in Traffic Monitor and Log Manager. If you search the Log Catalog for a message ID, remove the hyphen from the message ID number.