Cloud Firewall Log Formats

Cloud firewall logs show traffic that has been handled by Secure Access cloud-delivered firewall. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents


Examples of Cloud Firewall Logs.

V8, V9 Log Samples

"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","","","", "","ams1.edc","12","ALLOW",",","44,66"

Order of Fields in the Cloud Firewall Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V8, V9 Log Formats

The CSV fields in the header row of the Cloud Firewall logs.

timestamp,origin IDs,identities,identity type,direction,protocol,packet size,source IP,source port,destination IP,destination port,data center,rule ID,action,fqdns,destination list IDs
  • timestamp—The timestamp of the request transaction in UTC.
  • origin IDs—The unique identity of the network tunnel.
  • identities—The names of the network tunnel.
  • identity type—The type of identity that made the request. Should always be "CDFW Tunnel Device".
  • direction—The direction of the packet. It is destined either towards the internet or to the customer's network.
  • protocol—The actual protocol of the traffic. Valid values are: TCP, UDP, or ICMP.
  • packet size—The size of the packet sent to the CDFW.
  • source IP—The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
  • source port—The internal port number of the user-generated traffic towards the CDFW.
  • destination IP—The destination IP address of the user-generated traffic towards the CDFW.
  • destination Port—The destination port number of the user-generated traffic towards the CDFW.
  • data center—The name of the data center that processed the user-generated traffic.
  • rule ID—The ID of the rule that processed the user traffic.
  • action—The final verdict whether to allow or block the traffic based on the rule.
  • fqdns—The fully qualified domain names (FQDNs) that match the request.
  • destination list IDs—The destination list IDs that Secure Access applied in the rule.

Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats