LOGS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

LOGS

L4 Transporter

Hi Friends,

Please share the best practice for logs checking. how can iden

1 accepted solution

Accepted Solutions

Otherway, if there is an Active session exist on the firewall, you may grab the session ID and see detailed info as mentioned below:

> show session all filter source x.x.x.x destination y.y.y.y

9936         dns            ACTIVE  FLOW  NS   100.100.100.1[53621]/trust-L3/17  (1.1.1.2[43506])

vsys1                                          8.8.8.4[53]/untrust-L3  (8.8.8.4[53])

admin@31-PA-3020> show session id 9936

Session            9936

        c2s flow:

                source:      100.100.100.1 [trust-L3]

                dst:         8.8.8.4

                proto:       17

                sport:       53621           dport:      53

                state:       ACTIVE          type:       FLOW

                src user:    plano2003\csharma  >>>>>>>>>>>>>>> Source User

                dst user:    unknown

        s2c flow:

                source:      8.8.8.4 [untrust-L3]

                dst:         1.1.1.2

                proto:       17

                sport:       53              dport:      43506

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    plano2003\csharma

        start time                    : Thu Jul 24 12:33:04 2014

        timeout                       : 30 sec

        time to live                  : 12 sec

        total byte count(c2s)         : 240

        total byte count(s2c)         : 0

        layer7 packet count(c2s)      : 3

        layer7 packet count(s2c)      : 0

        vsys                          : vsys1

        application                   : dns

        rule                          : trust-to-untrust  >>>>>>> Security rule

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : nat-inside-2-outside(vsys1) >>>>>>>>>>>>>> NAT policy name

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : True

        captive portal session        : False

        ingress interface             : tunnel.1  >>>>>>>>>>>>>> Incoming interface

        egress interface              : ethernet1/3  >>>>>>>>>>>>>>>> Outgoing interface

        session QoS rule              : N/A (class 4)

Thanks

View solution in original post

7 REPLIES 7

L6 Presenter

Hi Satish,

By default logs are generated at the end of session. You can find logs at Monitor > Traffic or any other category.

Let me know if you need additional information.

Regards,

Hardik Shah

L7 Applicator

Hello Satish,

If you want to see logs for troubleshooting/monitoring purpose, then Monitor >logs will help you for the same. You may also check ACC report for all traffic/threat related activity. To generate logs report for audit/database/analysis, follow mentioned discussion:

Reports

Thanks

L7 Applicator

Related doc: Session Log Best Practice

Thanks

Hi Hardik and Hulk,

my question is  that how to find any network traffic log for make correct policy or identity for particular log for  per user/ ip / port ... etc.thanks

Hi Satish,

You can find that with Monitor > Log > traffic, based on trial and error method you will get idea.

Regards,

Hardik Shah

Thanks Hardik,

let me check and i will get back to you.

Regards

Satish

Otherway, if there is an Active session exist on the firewall, you may grab the session ID and see detailed info as mentioned below:

> show session all filter source x.x.x.x destination y.y.y.y

9936         dns            ACTIVE  FLOW  NS   100.100.100.1[53621]/trust-L3/17  (1.1.1.2[43506])

vsys1                                          8.8.8.4[53]/untrust-L3  (8.8.8.4[53])

admin@31-PA-3020> show session id 9936

Session            9936

        c2s flow:

                source:      100.100.100.1 [trust-L3]

                dst:         8.8.8.4

                proto:       17

                sport:       53621           dport:      53

                state:       ACTIVE          type:       FLOW

                src user:    plano2003\csharma  >>>>>>>>>>>>>>> Source User

                dst user:    unknown

        s2c flow:

                source:      8.8.8.4 [untrust-L3]

                dst:         1.1.1.2

                proto:       17

                sport:       53              dport:      43506

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    plano2003\csharma

        start time                    : Thu Jul 24 12:33:04 2014

        timeout                       : 30 sec

        time to live                  : 12 sec

        total byte count(c2s)         : 240

        total byte count(s2c)         : 0

        layer7 packet count(c2s)      : 3

        layer7 packet count(s2c)      : 0

        vsys                          : vsys1

        application                   : dns

        rule                          : trust-to-untrust  >>>>>>> Security rule

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : nat-inside-2-outside(vsys1) >>>>>>>>>>>>>> NAT policy name

        layer7 processing             : enabled

        URL filtering enabled         : True

        URL category                  : any

        session via syn-cookies       : False

        session terminated on host    : False

        session traverses tunnel      : True

        captive portal session        : False

        ingress interface             : tunnel.1  >>>>>>>>>>>>>> Incoming interface

        egress interface              : ethernet1/3  >>>>>>>>>>>>>>>> Outgoing interface

        session QoS rule              : N/A (class 4)

Thanks

  • 1 accepted solution
  • 3068 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!