Cloud Firewall Log Formats
Cloud firewall logs show traffic that has been handled by Secure Access cloud-delivered firewall. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
An example v10 Cloud Firewall log.
timestamp,origin IDs,identities,identity type,direction,protocol,packet size,source IP,source port,destination IP,destination port,data center,rule ID,action,fqdns,destination list IDs,first packet timestamp,last packet timestamp,packets sent,packets received,bytes sent,bytes received,fw event id,destination country,app id,private resource id,private app group id,private flow,posture id,casi category ids,traffic source,content category ids,content category list ids,organization id
"2024-06-14 18:59:57","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","60951","146.112.255.129","443","ams1.edc","12","ALLOW","google.com,apple.com","44,66","1718391597","1718391597","3","3","1108","755","39-42","","","","","","","[]","","","","2204063"
Order of Fields in the Cloud Firewall Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the Cloud Firewall logs.
timestamp,origin ids,identities,identity type,direction,protocol,packet size,source ip,source port,destination ip,destination port,data center,rule id,action,fqdns,destination list ids,first packet timestamp,last packet timestamp,packets sent,packets received,bytes sent,bytes received,fw event id,destination country,app id,private resource id,private app group id,private flow,posture id,casi category ids,traffic source,content category ids,content category list ids,organization id
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the cloud-delivered firewall traffic event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v1 |
| origin ids | The unique identity of the network tunnel. | v1 |
| identities | The names of the network tunnel. | v5 |
| identity type | The type of identity that made the request. Should always be CDFW Tunnel Device. | v5 |
| direction | The direction of the packet. It is destined either towards the internet or to the customer's network. | v1 |
| protocol | The actual protocol of the traffic. Valid values are: TCP, UDP, or ICMP. | v1 |
| packet size | The size in bytes of the packet sent to the CDFW. | v1 |
| source ip | The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address. | v1 |
| source port | The internal port number of the user-generated traffic towards the CDFW. | v1 |
| destination ip | The destination IP address of the user-generated traffic towards the CDFW. | v1 |
| destination port | The destination port number of the user-generated traffic towards the CDFW. | v1 |
| data center | The name of the data center that processed the user-generated traffic. | v1 |
| rule id | The ID of the rule that processed the user traffic. | v1 |
| action | The final verdict whether to allow or block the traffic based on the rule. | v1 |
| fqdns | The fully qualified domain names (FQDNs) that match the request. | v8 |
| destination list ids | The destination list IDs that Secure Access applied in the rule. | v8 |
| first packet timestamp | The timestamp when the first packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| last packet timestamp | The timestamp when the last packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| packets sent | The number of packets sent during the session. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| packets received | The number of packets received during the session. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| bytes sent | The number of bytes sent during the session. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| bytes received | The number of bytes received during the session. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| fw event id | The ID of the firewall event. Populated only for traffic handled by Cisco Secure Firewall. | v9 |
| destination country | The ISO-3166 alpha-2 two-character identifier of the country associated with the destination IP. | v10 |
| app id | The unique application ID identified for the current session. | v10 |
| private resource id | The unique private resource ID identified for the current session. | v10 |
| private app group id | The unique ID of the private resource group ID that the private resource belongs to. | v10 |
| private flow | TRUE if Secure Access applied a private access rule to the user-generated traffic, and FALSE if Secure Access applied an internet access rule. | v10 |
| posture id | The unique ID of the endpoint posture profile. | v10 |
| casi category ids | Name of the Application category to which the App ID belongs. | v10 |
| traffic source | The source of the user-generated traffic. Valid values are 0 - Unknown, 1 - VPN,2 – ZTNA, 3 - Network Tunnel. | v10 |
| content category ids | ID of one or more content categories matched by the rule. | v10 |
| content category list ids | ID of one or more content category lists that include categories matched by the rule. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v10 |
Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats
Updated about 1 month ago