Policy log settings

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Policy log settings

L1 Bithead

Hi Pals,

I would like some second opinion on my observation reg. the option 'log at session start' and 'log at session end'. I have tried both options and at the same time monitor the generated traffic logs for each setting. This is my observation:

a) For log at session end, there is only one traffic log created for a session

b) For log at session start, it seemed that whenever there is a change in the App-ID within a session, a new log will be created. Eg. when visiting facebook, 2 logs were generated, one for web-browsing and anoher for facebook-base.

Anyone can comment on my observation?

Thanks

1 accepted solution

Accepted Solutions

L3 Networker

Lets say there was never an application shift, even in this case there will be two logs for the same session id. This is because the firewall does a security policy look up to allow the service first (i.e the SYN in a TCP session ), since this is the start of the session a log will be generated for this. Once the application is identified and session is closed the log at session end will generate a traffic log for this. Form a information POV the log at session end will have more info than log at session start in terms of number of bytes sent in C2S and S2C flow. You'll end up with duplicate logs for the same session. In which one is more useful than the other based on the issue you are troubleshooting.

Regards,

Deepak

View solution in original post

4 REPLIES 4

L3 Networker

Hello Suhaimi,

Your observation is an expected behavior.As the name suggests log at session end option tags a session at it's very beginning and generates a log for it.Now the second log you see (facebook-base in your case) is created at session end.

Hope this helps.

Yashwanth

L3 Networker

Hello,

I believe you are seeing that because the app id change triggers the session to do a security policy look up. Though the session id remains the same the firewall will write a new log when you say log at session and the security policy look up is done due to application shift.

I hope that explains the behavior you are seeing, also the option log at session start is recommended for troubleshooting purposes only. Enabling log at session start option will force the firewall to log the same session twice (Duplicate logs), logging is resource intensive

process and can have significant performance degradation strictly based on number of rules where this option is enable and the number of sessions hitting those rules.

Regards,

Deepak

Hello Deepak,

Thanks for the reply. When you mention that log at session start will "force the firewall to log the same session twice (Duplicate logs)", are you referring to the same log being repeated twice or 2 different logs with different app-id?

Thanks

L3 Networker

Lets say there was never an application shift, even in this case there will be two logs for the same session id. This is because the firewall does a security policy look up to allow the service first (i.e the SYN in a TCP session ), since this is the start of the session a log will be generated for this. Once the application is identified and session is closed the log at session end will generate a traffic log for this. Form a information POV the log at session end will have more info than log at session start in terms of number of bytes sent in C2S and S2C flow. You'll end up with duplicate logs for the same session. In which one is more useful than the other based on the issue you are troubleshooting.

Regards,

Deepak

  • 1 accepted solution
  • 3451 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!