topic Re: Best Practices of log filter in General Topics

Best Practices of log filter

qd_056 — Fri, 02 Feb 2018 07:00:13 GMT

Hello,

As a network admin, when user escalates that he cannot access some specify website, what's the best way to find the property log which was triggered by use's browsing activity?

Of course we can apply filer as "username", but even though, we will still got a lot of logs in a very short time period.

What's your best practice?

Thanks

Re: Best Practices of log filter

TerjeLundbo — Fri, 02 Feb 2018 12:27:00 GMT

Find the IP address of the web site and look in the unified log with the following filter:

( addr.dst in x.x.x.x ) and ( action neq allow ) and ( action neq alert )

This shold get you all the traffic to that web site that has been blocked either by policy (deny rule) or threat prevention.

Re: Best Practices of log filter

BPry — Fri, 02 Feb 2018 14:04:57 GMT

@qd_056,

I'd actually recommend that you not filter by username, just because if a user-id drop was part of the issue you won't see the traffic at that point. As @TerjeLundbo pointed out you can target the specific destination address and look for log entries outside of 'allow' or 'alert' with the commands stated.

I'd actually make a further recommendation that you create a rule specific to that users source IP address with a deny 'any' 'any' policy that mimics the interzone-default policy and enable logging. This allows you to log any traffic that may potentially be running into the default security policy without generating un-needed logs by enabling logging across the default interzone-default policy where you would likely generate more logs than actually desired.

Re: Best Practices of log filter

qd_056 — Tue, 06 Feb 2018 08:59:37 GMT

I raised this concern since we met a issue is, we have a application group include web-broswing, and this group is allowed to be access by all trust clients.

But when user tried to access some specific website, they cannot display that page property, looks like CSS cannot be loaded.

So for such case, how can I know the root cause of this issue from log?

Thanks

Re: Best Practices of log filter

TerjeLundbo — Tue, 06 Feb 2018 11:56:08 GMT

There could be elements on the web site that is being blocked by the firewall. Examples could be flash content if flash is not member of the allowed application group or ads identified as malware. These will be listed in your firewall logs. If you find nothing there then I would suspect client browser trouble.

Re: Best Practices of log filter

OtakarKlier — Tue, 06 Feb 2018 15:05:34 GMT

Hello,

Here is what I usually do when I get those requests:

Ask the user what the URL was and what they were trying to click on.

I then reproduce the issue either on my machine or a test machinethat has little traffic outbound.

Filter the Unified logs by the source IP, as @BPry mentioned, if the user-id dropped, you might miss something.

Then recreate what the user was attempting and look for any blocks.

I look for URL blocks first, then move to application blocks due to ssl decrypting

Those are the big steps.