Contents x
      Viewing Logs
      • 08 May 2023
      • Dark
        Light
      Contents

      Viewing Logs

      • Updated on 08 May 2023
      • Dark
        Light
      Article Summary

      Viewing Logs and Traffic

      Enabling Traffic Logs

      Traffic logs are the most common type of log to view. These logs are retrieved from a logfile and are not live data (more on how to see that later). When traffic passes through the firewall, it is evaluated against Security Policies. The matched security policy needs to specify whether the traffic is logged in order for logs to appear. As policy evaluation is session-based, the types of logging are:

      • Log at Session Start: When the flow session starts. Even if the flow is ongoing, logs will exist for the session from this point onwards. This option is also used for any polices that deny traffic. If you want to verify that traffic is being denied, select this option.
      • Log at Session End: A log entry is only made after the session ends. Any sessions in-progress, or traffic that is denied or dropped, is not logged here.

      Note that regardless of the Log option selected (or if none are selected), you can view active traffic in the Session Browser. More on that later.

      Viewing Traffic Logs

      Once logged into your Multi-Cloud Firewall, navigate to Monitor Logs Traffic. Here you’ll see many fields. Clicking on a value in any field will build a filter at the top. Alternatively, you can build a filter by clicking on the + button to the right of the search box.

      The basic format is:

      (attribute operator value) connector (attribute operator value) connector etc….

      For example:

      (addr in 192.168.12.0/26) and (rule neq internet-access) and not (src_mac eq 'AA:BB:CC:DD:EE:FF')

      This means to show all traffic logs that match these conditions:

      • Address is included in the subnet 192.168.12.0/26 and
      • Security Policy does not equal internet-access and
      • the source MAC address is not equal to AA:BB:CC:DD:EE:FF

      Session Browser

      Regardless of how logging is set on a per-Security Policy basis, the Session Browser always shows active sessions. To find this, navigate to Monitor Session Browser.

      Each line here is a session, and clicking the + at the far left with expand to show details and both uni-directional flows that comprise the session. Creating filters follows a similar logic to Traffic Logs above, except you must match addresses exactly by host.

      As these are live sessions, you also have the ability to clear them by clicking the X on the far right of each row. This will force any new traffic to be re-evaluated as a fresh session.

      Was this article helpful?
      What's Next
      Expedient Homepage

      To open a Support Ticket please visit the Support Management Console