Logs

This menu is not displayed by default. To see it in the firewall's web administration interface, select Show the \"Logs\" menu (Preferences > Log preferences menu).

Possible operations

Toolbar no. 1: period and display mode

Time scale

This field allows choosing the period: Last hour, Today,
past 7 days, past 30 days and customized duration.

  • The past hour is calculated up to the minute before the current one.
  • The Today view covers the current day, from midnight of the day before up to the minute before data is refreshed.
  • The last 7 and 30 days refer to the period that has ended the day before at midnight.
  • The customized duration allows you to define a determined period, which covers the whole day except for the current day in which data runs up to the previous minute.

The button is a shortcut allowing you to select a customized duration.

http://testdoc.netasq.com/firewall/guide/v91/fr/ImagesExt/image1496_2.png Refresh

This button allows you to refresh the display of data.

 

Line view /Grid view

Displays logs in lines or arranged in a table. The line view highlights the values of fields that match search criteria.

Expand all the elements / Collapse elements

Displays all fields or only main fields.

Toolbar no. 2: simple or advanced searches

Change search modes using the "Simple search" / "Advanced search" button.

The "reinit. Columns" button allows restoring the default display settings. This refers to whether columns are hidden or shown or the modification of their width.

Simple search mode

In this default search mode, the appliance will search for the value entered in all the fields of the log files displayed.

This search only covers field values, and not field names. For example, to filter blocked connections, enter the value “block” in the search field, instead of “action=block”. For source or destination countries, use the country code (example: fr, en, us...).

(field for entering the search value)

To create the search, enter text in the field or drag and drop the value from a result field. The name of an object can also be dragged and dropped directly into this field from the Network objects module.

Advanced search mode

In advanced mode, several search criteria can be combined. All of these criteria have to be met in order to be displayed, as the search criteria are cumulative.

This combination of search criteria can then be saved as a “filter”. Filters will then be saved in memory and can be reset in the Preferences module of the administration interface.

(Filter drop-down menu)

Select a filter to launch the corresponding search. The list will suggest filters that have been saved previously and for certain Views, predefined filters. Selecting the entry (New filter) allows the filter to be reinitialized by selecting the criteria selection.

Save

Save as a customized filter the criteria defined in the Filter panel described in the next section. You can save a new filter using the button "Save as" based on an existing filter or a predefined filter offered in certain Views. Once a filter has been saved, it will be automatically offered in the list of filters.

Delete

Delete a customized filter saved earlier.

FILTER panel

You can add a search criterion either by clicking on Add a criterion, or by dragging a value from the results field and dropping it in the panel.

The filter creation window allows you to either apply or add the defined criterion. The Add button keeps the window open in order to define several criteria successively before launching the search.

Add a criterion

To add a search criterion, click on this button in order to open a window to edit a criterion, for which you need to enter the 3 following elements:

  • A Field to select in which the value will be searched. Selecting any will enable searches in all values contained in the logs.
  • In this list, the translated name of the field is displayed as well as the original name between brackets (token). The main fields are displayed in black and secondary fields in gray, corresponding to the display of the button Expand all the elements / Collapse elements.
  • A sort criterion that will be associated with the value sought. These operators are: equal to, different from, contains, does not contain, starts with and ends with.
  • A Value to look for according to the criteria selected earlier. For source or destination countries, use the country code (example: fr, en, us...).

Once the criterion has been set up, it will be added to this Filter panel. The following actions can be done to this criterion:

  • Delete using the icon. Deleting a criterion automatically refreshes the search of the modified filter, without this criterion.
  • Edit in a window similar to the one during its creation, using the icon. The editing window only allows you to apply the search.

Information

Above the table displaying the logs, the queried period will be shown, according to the value selected in the drop-down menu in the 1st toolbar. This period is displayed as:

SEARCH FROM - DD/MM/YYYY HH:MM:SS – TO - DD/MM/YYYY HH:MM:SS

Below the log table, the following information will be shown:

  • Number of the page displayed,
  • Number of logs displayed in the page,
  • Period covered by the logs shown in the page,
  • The UTM’s date and time (information that will be useful if the administrator’s workstation does not have the same settings).

Toolbar no. 3: level of detail, printing and exporting data

Expand all the elements / Collapse elements

Displays all fields or only main fields.

Export data The button allows downloading data in CSV format. The values are separated by commas and saved in a text file. This makes it possible to reopen the file in a spreadsheet program such as Microsoft Excel.
Print The button enables access to the preview window in order to print logs. The Print button sends the file to the browser’s print module, which allows choosing to print or to generate a PDF file.

Displaying details of a row of logs

Clicking on a row in a log or view automatically shows the details of the row in a window to the right of the table. Buttons now make it possible to hide () or show () this window.

Interactive features

Regardless of the display mode (line/grid), the values displayed in the log reading window offer two categories of interactions: ACTION and CONFIGURATION. Right-clicking opens a menu that offers the following actions:

Simple search mode

ACTION:

  • Add this value as a search criterion: shortcut for creating a criterion that searches for the value in the corresponding field and in the whole log or view. This search type is the same as dragging and dropping the value.

CONFIGURATION:

  • Go to the corresponding security rule: shortcut to open the Filter and NAT module and highlight the selected rule corresponding to the selected log line.

Advanced search mode 

ACTION:

  • generic_equal_16x16 Add a criterion for this field/value: shortcut for creating a criterion that searches for the value in the corresponding field and in the whole log or view. To avoid the repetition of the value sought, the corresponding column will be automatically hidden in the grid view. This search type is the same as dragging and dropping the value.
  • generic_different_16x16 Add a difference criterion to this value: shortcut for creating a criterion that searches for any value that is different from the one selected in the corresponding field and in the whole log or view.

CONFIGURATION:

  • Go to the corresponding security rule: shortcut to open the Filter and NAT module and highlight the selected rule corresponding to the selected log line.

IP addresses and objects

ACTION:

  • Search for this value in the \"All logs\" view : shortcut to open the "All logs" view filtered by the selected value.
  • Show host details: opens a window showing additional information about the selected host. The following information is given:
  • Host's reputation score
  • Geolocation
  • Vulnerabilities
  • Time taken to respond to the ping and network path (traceroute) to contact the host.
  • Reset this object's reputation score: by clicking on this menu, the reputation score of the selected object will be reset to zero.
  • Blacklist this object: makes it possible to place a host, IP address range or network in a blacklist (quarantine). The firewall will therefore reject such selected objects for a specific duration, which can be set in the sub-menu for this action:
  • For 1 minute,
  • For 5 minutes,
  • For 30 minutes,
  • For 3 hours.

    Once this duration has lapsed, the object in question will be allowed to go through the firewall again as long as it complies with the active security policy.

CONFIGURATION:

  • action_add_object_16x16 Add the host to the Object base and/or add it to a group: this option allows creating a host and/or adding it to a group from a log file. As such, a host that has been identified as vulnerable can, for example, be added to a group with a strengthened protection profile. (cf. Technical Note Collaborative security).
    This option appears on fields that contain IP addresses (source, destination) or object names (source name, destination name). A window will appear, in which you can:
  • Save the object in the database if it is an IP address,
  • Select the appropriate object if the IP address corresponds to several objects,
  • Add it to an existing group. This group may correspond to a quarantine of predefined vulnerable objects.

URLs

ACTION:

  • Search for this value in the \"All logs\" view : shortcut to open the "All logs" view filtered by the selected value.
  • Show host details: opens a window showing additional information about the selected host. The following information is given:
  • Host's reputation score
  • Geolocation
  • Vulnerabilities
  • Time taken to respond to the ping and network path (traceroute) to contact the host.
  • Reset this object's reputation score: by clicking on this menu, the reputation score of the selected object will be reset to zero.
  • Blacklist this object: makes it possible to place a host, IP address range or network in a blacklist (quarantine). The firewall will therefore reject connections to and from such selected objects for a specific duration, which can be set in the sub-menu for this action:
  • For 1 minute,
  • For 5 minutes,
  • For 30 minutes,
  • For 3 hours.

    Once this duration has lapsed, the object in question will be allowed to initiate or accept connections as long as it complies with the active security policy.

CONFIGURATION:

  • action_add_object_16x16Add the host to the Object base and/or add it to a group: this option allows creating a host and/or adding it to a group from a log file. As such, a host that has been identified as vulnerable can, for example, be added to a group with a strengthened protection profile. (cf. Technical Note Collaborative security).
    This option appears on fields that contain IP addresses (source, destination) or object names (source name, destination name). A window will appear, in which you can:
  • Save the object in the database if it is an IP address,
  • Select the appropriate object if the IP address corresponds to several objects,
  • Add it to an existing group. This group may correspond to a quarantine of predefined vulnerable objects.
  • Description : action_add_object_16x16 Add the URL to a group: this option allows adding a URL to a group from a log file. As such, URLs that have been identified as malicious or undesirable may, for example, be added to a customized group that will be subject to URL filtering.
    This option appears on fields that contain URLs (destination name). A window will appear, enabling:
  • URLs to be added to an existing group. This group may correspond to a category of prohibited URLs, for example.

Ports

CONFIGURATION:

  • Description : action_add_object_16x16 Add the service to the objects base and/or add it to a group: this option allows creating a service and/or adding it to a group from a log file. As such, services that have been identified as vulnerable or undesirable may, for example, be added to a group of prohibited services in filter rules.
    This option appears on fields that contain port numbers or service names (source port, destination port, , name of the source port, name of the destination port, etc). A window will appear, enabling:
    • The object to be saved in the database if it is a port number,
    • Add it to an existing group. This group may correspond to a category of prohibited services.

Network packets

ACTION

  • Export the packet: this option makes it possible to export the captured packet in pcap format in order to analyze it using tools such as Wireshark. To start capturing packets, the checkbox Capture the packet that raised the alarm must be selected in the configuration of the alarm in question (Application protection > Applications and protections module > Advanced column > click on Configure).

Views

  • All logs

This view displays all logs: Administration, Alarms, Authentication, Network connections, Filter, FTP proxy, IPSec VPN, Application Connections, POP3 proxy, SMTP proxy, SSL proxy, System events, Vulnerabilities, HTTP proxy and SSL VPN.

Description : info NOTE 

If the user does not have admin privileges, the Administration log will not be taken into account in this view.

 

  • Network traffic

This view displays Network connections, Filter, FTP proxy, Application connections, POP3 proxy, SMTP proxy, SSL proxy, HTTP proxy and SSL VPN logs.

Two predefined filters searching for IPv4 traffic and IPv6 traffic are offered.

  • Threats

This view displays the Alarms log according to certain categories; this log only displays logs that do not belong to the filter alarm category.

Three predefined filters that search for Application (classification=1), Malware (classification=2) or Protection (classification=0) vulnerabilities are offered.

  • Web

This view displays Network connections, Application connections, and HTTP proxy logs according to certain categories:

  • The Network connections logs only display logs whose standard service corresponding to the destination port is HTTP, HTTPS or HTTP_PROXY.
  • The Application connections log only displays logs with an associated plugin name that is either HTTP or HTTPS.

A predefined filter that looks for detected viruses is offered.

  • Vulnerabilities

This view displays the Vulnerabilities log.

Two predefined filters that search for Client (targetclient=1) and Server (targetserver=1) vulnerabilities are offered.

  • E-mails

This view displays Network connections, Application connections, POP3 proxy and SMTP proxy logs according to certain categories:

  • The Network connections logs only display logs whose standard service corresponding to the destination port is SMTP, SMTPS, POP3, POP3S, IMAP or IMAPS.
  • The Application connections log only displays logs with an associated plugin name that is either SMTP, SMTPS, POP3, POP3S, IMAP or IMAPS.

Two predefined filters that search for detected viruses (virus=infected) and detected spam (spamlevel entered and different from 0) are offered.

  • VPN

This view displays IPSec VPN, System events and SSL VPN logs according to certain categories; the System events log only displays logs for which the reference message is PPTP.

  • System events

This view displays Alarms and System events logs according to certain categories; the Alarms log only displays logs belonging to the system alarm category.

Two predefined filters that search for Minor (pri = 4) or Major (pri = 1) levels are offered.

  • Filtering

This view displays Alarms and Filter logs according to certain categories; the Alarms log only displays logs belonging to the filter alarm category.

  • Sandboxing

This view displays the Sandboxing log.

  • Users

This view displays the Authentication log.

Logs

The list of logs displayed in the menu and the name of the corresponding log file is shown below:

Administration

l_server

Alarms

l_alarm

Authentication

l_auth

Network connections

l_connection

Filtering

l_filter

FTP proxy

l_ftp

SSL VPN

l_vpn

Application connections (plugin)

l_plugin

POP3 proxy

l_pop3

SMTP proxy

l_smtp

SSL proxy

l_ssl

System events

l_system

Vulnerabilities

l_pvm

HTTP proxy

l_web

SSL VPN

l_xvpn

Sandboxing l_sandboxing

Description : info NOTE 

If the user does not have admin privileges, the Administration log will not be accessible.

Description : info NOTE 

If the time on the appliance is changed, a yellow line indicating this change will be shown for each log queried. This line is logged when the change is made.

 

As a result, the period displayed may no longer correspond to the expected number of hours. For example, if the time on the appliance has been moved back by one hour, the log for the past day will show logs for the past 25 hours. Likewise, if a search is launched for a common time, the search will be conducted in all logs, meaning before and after the change of time on the appliance.