Cloud Firewall Log Formats

Cloud firewall logs show traffic that has been handled by Secure Access cloud-delivered firewall. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents

Example

An example v10 Cloud Firewall log.

timestamp,origin IDs,identities,identity type,direction,protocol,packet size,source IP,source port,destination IP,destination port,data center,rule ID,action,fqdns,destination list IDs,first packet timestamp,last packet timestamp,packets sent,packets received,bytes sent,bytes received,fw event id,destination country,app id,aws region,private app group id,private flow,posture id,casi category ids,traffic source,content category ids,content category list ids,organization id
"2024-06-14 18:59:57","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","60951","146.112.255.129","443","ams1.edc","12","ALLOW","google.com,apple.com","44,66","1718391597","1718391597","3","3","1108","755","39-42","","","","","","","[]","","","","2204063"

Order of Fields in the Cloud Firewall Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V10 Log Format

The CSV fields in the header row of the Cloud Firewall logs.

timestamp,origin ids,identities,identity type,direction,protocol,packet size,source ip,source port,destination ip,destination port,data center,rule id,action,fqdns,destination list ids,first packet timestamp,last packet timestamp,packets sent,packets received,bytes sent,bytes received,fw event id,destination country,app id,aws region,private app group id,private flow,posture id,casi category ids,traffic source,content category ids,content category list ids,organization id

The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.

Field nameDescriptionRelease version
timestampThe date and time of the cloud-delivered firewall traffic event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).

Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone.
v1
origin idsThe unique identity of the network tunnel.v1
identitiesThe names of the network tunnel.v5
identity typeThe type of identity that made the request. Should always be CDFW Tunnel Device.v5
directionThe direction of the packet. It is destined either towards the internet or to the customer's network.v1
protocolThe actual protocol of the traffic. Valid values are: TCP, UDP, or ICMP.v1
packet sizeThe size in bytes of the packet sent to the CDFW.v1
source ipThe internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.v1
source portThe internal port number of the user-generated traffic towards the CDFW.v1
destination ipThe destination IP address of the user-generated traffic towards the CDFW.v1
destination portThe destination port number of the user-generated traffic towards the CDFW.v1
data centerThe name of the data center that processed the user-generated traffic.v1
rule idThe ID of the rule that processed the user traffic.v1
actionThe final verdict whether to allow or block the traffic based on the rule.v1
fqdnsThe fully qualified domain names (FQDNs) that match the request.v8
destination list idsThe destination list IDs that Secure Access applied in the rule.v8
first packet timestampThe timestamp when the first packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall.v9
last packet timestampThe timestamp when the last packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall.v9
packets sentThe number of packets sent during the session. Populated only for traffic handled by Cisco Secure Firewall.v9
packets receivedThe number of packets received during the session. Populated only for traffic handled by Cisco Secure Firewall.v9
bytes sentThe number of bytes sent during the session. Populated only for traffic handled by Cisco Secure Firewall.v9
bytes receivedThe number of bytes received during the session. Populated only for traffic handled by Cisco Secure Firewall.v9
fw event idThe ID of the firewall event. Populated only for traffic handled by Cisco Secure Firewall.v9
destination countryThe ISO-3166 alpha-2 two-character identifier of the country associated with the destination IP.v10
app idThe unique application ID identified for the current session.v10
aws regionThe AWS region that stores your VPN logs.v10
private app group idThe unique ID of the private resource group ID that the private resource belongs to.v10
private flowTRUE if Secure Access applied a private access rule to the user-generated traffic, and FALSE if Secure Access applied an internet access rule.v10
posture idThe unique ID of the endpoint posture profile.v10
casi category idsName of the Application category to which the App ID belongs.v10
traffic sourceThe source of the user-generated traffic. Valid values are 0 - Unknown, 1 - VPN,2 – ZTNA, 3 - Network Tunnel.v10
content category idsID of one or more content categories matched by the rule.v10
content category list idsID of one or more content category lists that include categories matched by the rule.v10
organization idThe Secure Access organization ID. For more information, see Find Your Organization ID .v10


Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats