Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
.png "Satish"){kind=avatar}
07-24-2014 09:53 AM
Hi Friends,
Please share the best practice for logs checking. how can iden
07-24-2014 10:37 AM
Otherway, if there is an Active session exist on the firewall, you may grab the session ID and see detailed info as mentioned below:
> show session all filter source x.x.x.x destination y.y.y.y
9936 dns ACTIVE FLOW NS 100.100.100.1[53621]/trust-L3/17 (1.1.1.2[43506])
vsys1 8.8.8.4[53]/untrust-L3 (8.8.8.4[53])
admin@31-PA-3020> show session id 9936
Session 9936
c2s flow:
source: 100.100.100.1 [trust-L3]
dst: 8.8.8.4
proto: 17
sport: 53621 dport: 53
state: ACTIVE type: FLOW
src user: plano2003\csharma >>>>>>>>>>>>>>> Source User
dst user: unknown
s2c flow:
source: 8.8.8.4 [untrust-L3]
dst: 1.1.1.2
proto: 17
sport: 53 dport: 43506
state: ACTIVE type: FLOW
src user: unknown
dst user: plano2003\csharma
start time : Thu Jul 24 12:33:04 2014
timeout : 30 sec
time to live : 12 sec
total byte count(c2s) : 240
total byte count(s2c) : 0
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 0
vsys : vsys1
application : dns
rule : trust-to-untrust >>>>>>> Security rule
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : nat-inside-2-outside(vsys1) >>>>>>>>>>>>>> NAT policy name
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
captive portal session : False
ingress interface : tunnel.1 >>>>>>>>>>>>>> Incoming interface
egress interface : ethernet1/3 >>>>>>>>>>>>>>>> Outgoing interface
session QoS rule : N/A (class 4)
Thanks
07-24-2014 09:58 AM
Hi Satish,
By default logs are generated at the end of session. You can find logs at Monitor > Traffic or any other category.
Let me know if you need additional information.
Regards,
Hardik Shah
07-24-2014 10:03 AM
Hello Satish,
If you want to see logs for troubleshooting/monitoring purpose, then Monitor >logs will help you for the same. You may also check ACC report for all traffic/threat related activity. To generate logs report for audit/database/analysis, follow mentioned discussion:
Thanks
07-24-2014 10:22 AM
Related doc: Session Log Best Practice
Thanks
07-24-2014 10:25 AM
Hi Hardik and Hulk,
my question is that how to find any network traffic log for make correct policy or identity for particular log for per user/ ip / port ... etc.thanks
07-24-2014 10:26 AM
Hi Satish,
You can find that with Monitor > Log > traffic, based on trial and error method you will get idea.
Regards,
Hardik Shah
07-24-2014 10:35 AM
Thanks Hardik,
let me check and i will get back to you.
Regards
Satish
07-24-2014 10:37 AM
Otherway, if there is an Active session exist on the firewall, you may grab the session ID and see detailed info as mentioned below:
> show session all filter source x.x.x.x destination y.y.y.y
9936 dns ACTIVE FLOW NS 100.100.100.1[53621]/trust-L3/17 (1.1.1.2[43506])
vsys1 8.8.8.4[53]/untrust-L3 (8.8.8.4[53])
admin@31-PA-3020> show session id 9936
Session 9936
c2s flow:
source: 100.100.100.1 [trust-L3]
dst: 8.8.8.4
proto: 17
sport: 53621 dport: 53
state: ACTIVE type: FLOW
src user: plano2003\csharma >>>>>>>>>>>>>>> Source User
dst user: unknown
s2c flow:
source: 8.8.8.4 [untrust-L3]
dst: 1.1.1.2
proto: 17
sport: 53 dport: 43506
state: ACTIVE type: FLOW
src user: unknown
dst user: plano2003\csharma
start time : Thu Jul 24 12:33:04 2014
timeout : 30 sec
time to live : 12 sec
total byte count(c2s) : 240
total byte count(s2c) : 0
layer7 packet count(c2s) : 3
layer7 packet count(s2c) : 0
vsys : vsys1
application : dns
rule : trust-to-untrust >>>>>>> Security rule
session to be logged at end : True
session in session ager : True
session synced from HA peer : False
address/port translation : source + destination
nat-rule : nat-inside-2-outside(vsys1) >>>>>>>>>>>>>> NAT policy name
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
captive portal session : False
ingress interface : tunnel.1 >>>>>>>>>>>>>> Incoming interface
egress interface : ethernet1/3 >>>>>>>>>>>>>>>> Outgoing interface
session QoS rule : N/A (class 4)
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
