Cloud Firewall Log Formats
Cloud firewall logs show traffic that has been handled by Secure Access cloud-delivered firewall. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Examples
Examples of Cloud Firewall Logs.
V8, V9 Log Samples
"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","146.112.255.129", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"
Order of Fields in the Cloud Firewall Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string (""
) in the log.
V8, V9 Log Formats
The CSV fields in the header row of the Cloud Firewall logs.
timestamp,origin IDs,identities,identity type,direction,protocol,packet size,source IP,source port,destination IP,destination port,data center,rule ID,action,fqdns,destination list IDs
- timestamp—The timestamp of the request transaction in UTC.
- origin IDs—The unique identity of the network tunnel.
- identities—The names of the network tunnel.
- identity type—The type of identity that made the request. Should always be "CDFW Tunnel Device".
- direction—The direction of the packet. It is destined either towards the internet or to the customer's network.
- protocol—The actual protocol of the traffic. Valid values are:
TCP
,UDP
, orICMP
. - packet size—The size of the packet sent to the CDFW.
- source IP—The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
- source port—The internal port number of the user-generated traffic towards the CDFW.
- destination IP—The destination IP address of the user-generated traffic towards the CDFW.
- destination Port—The destination port number of the user-generated traffic towards the CDFW.
- data center—The name of the data center that processed the user-generated traffic.
- rule ID—The ID of the rule that processed the user traffic.
- action—The final verdict whether to allow or block the traffic based on the rule.
- fqdns—The fully qualified domain names (FQDNs) that match the request.
- destination list IDs—The destination list IDs that Secure Access applied in the rule.
Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats
Updated 2 months ago