64-Log Management
Chapters Download (612.8 KB)
Configuring a Session Logging Policy
Setting Session Logging Thresholds
Displaying Connection Limit Logs
Displaying Attack Prevention Logs
Displaying Inter-Zone Policy Logs
The log management feature enables you to store the system messages or logs generated by actions such as packet filtering to the log buffer or send them to the log hosts. The analysis and archiving of the logs can enable you to check the security holes of the firewall, when and who try to disobey security policies, and the types of the network attacks. The real-time logs can also be used to detect the ongoing attacks.
If a packet is invalid, the product drops it without logging, such as an IP packet with incorrect header checksum or invalid destination IP address, or a raw IP Protocol 1, 6, or 17 packet. You can see the details by entering the debugging command in CLI.
The syslog module allows you to set the related parameters of the information center. Acting as the system information hub, the information center classifies and manages the system information, offering a powerful support for network administrators and developers in monitoring the network performance and diagnosing network problems. The information center can output the log information to the Web interface for users to view the logs. Meanwhile, it can also output the log information to the specified syslog log host based on your configuration.
Select Log Report > Syslog from the navigation tree to enter the page as shown in Figure 1-1.
Table 1-1 describes the syslog configuration items.
Table 1-1 Syslog configuration items
Item |
Description |
Log Buffer Size |
Set the number of syslogs that can be stored in the log buffer. |
Clear Log |
To clear the logs in the log buffer, click this button. |
Log Host1 |
Set the IP addresses and port number of the syslog log hosts. The log information can be reported to the specified remote log hosts in the format of syslog, and you can specify up to four syslog log hosts. |
Log Host2 |
|
Log Host3 |
|
Log Host4 |
|
Refresh Period |
Set the refresh period on the log information displayed on the log report Web interface. You can select manual refresh or automatic refresh: l Manual: You need to refresh the Web interface when displaying log report information. l Automatic: You can select to refresh the Web page every 10 seconds, 30 seconds, 1 minute, 5 minutes, or 10 minutes. |
User logs can be output in the following two formats, and you can select either one. At present, the device support flow logging only.
l Output to the information center of the device in the format of system information, and the information center then decides the output destination.
l Output to the specified userlog log host in UDP packets in binary format.
At present, flow logs refer to session logs only. To generate flow logs, you need to configure session logging.
Flow logging records users’ access information to the external network. The device classifies and calculates flows through the 5-tuple information, which includes source IP address, destination IP address, source port, destination port, and protocol number, and generates user flow logs. Flow logging records the 5-tuple information of the packets and number of the bytes received and sent. With flow logging, administrators can track and record accesses to the network, facilitating the availability and security of the network.
Two versions are available with flow logging: version 1.0 and version 3.0, which are slightly different in packet format. For details, see the following two tables.
Table 1-2 Packet format in flow logging version 1.0
Field |
Description |
SourceIP |
Source IP address |
DestIP |
Destination IP address |
SrcPort |
TCP/UDP source port number |
DestPort |
TCP/UDP destination port number |
StartTime |
Start time of a flow, in seconds, counted from 1970/1/1 0:0 |
EndTime |
End time of a flow, in seconds, counted from 1970/1/1 0:0 |
Prot |
Protocol carried over IP |
Operator |
Indicates the reason why a flow has ended |
Reserved |
For future applications |
Table 1-3 Packet format in flow logging version 3.0
Field |
Description |
Prot |
Protocol carried over IP |
Operator |
Indicates the reason why a flow has ended. |
IpVersion |
IP packet version |
TosIPv4 |
ToS field of the IPv4 packet |
SourceIP |
Source IP address |
SrcNatIP |
Source IP address after Network Address Translation (NAT) |
DestIP |
Destination IP address |
DestNatIP |
Destination IP address after NAT |
SrcPort |
TCP/UDP source port number |
SrcNatPort |
TCP/UDP source port number after NAT |
DestPort |
TCP/UDP destination port number |
DestNatPort |
TCP/UDP destination port number after NAT |
StartTime |
Start time of a flow, in seconds, counted from 1970/01/01 00:00. |
EndTime |
End time of a flow, in seconds, counted from 1970/01/01 00:00. |
InTotalPkg |
Number of packets received |
InTotalByte |
Number of bytes received |
OutTotalPkg |
Number of packets sent |
OutTotalByte |
Number of the bytes sent |
Reserved1 |
l Reserved in version 0x02 (FirewallV200R001); l In version 0x03 (FirewallV200R005), the first byte is the source VPN ID, the second byte is the destination VPN ID, and the third and forth bytes are reserved. |
Reserved2 |
For future applications |
Reserved3 |
For future applications |
Select Log Report > Userlog from the navigation tree to enter the page as shown in Figure 1-2.
Table 1-4 describes the configuration items of flow logging.
Table 1-4 Flow logging configuration items
Item |
Description |
Version |
Set the version of flow logging, including 1.0 and 3.0. Configure the flow logging version according to the capacity of the log receiving device. If the log receiving device does not support flow logging of a certain version, the device cannot resolve the logs received. |
Source IP Address of Packets |
Set the source IP address of flow logging packets. After the source IP address is specified, when Device A sends flow logs to Device B, it uses the specified IP address instead of the actual egress address as the source IP address of the packets. In this way, although Device A sends out packets to Device B through different ports, Device B can judge whether the packets are sent from Device A according to their source IP addresses. This function also simplifies the configurations of ACL and security policy: If you specify the same source address as the source or destination address in the rule command in ACL, the IP address variance and the influence of interface status can be masked, thus filtering flow logging packets. You are recommended to use the IP address of the loopback interface as the source IP address of flow logging packets. |
Loghost 1 |
Set the VPN instance, IP address and port number of the Userlog log host to encapsulate flow logs in UDP packets and send them to the specified userlog log host. The log host can analyze and display the flow logs to remotely monitor the device. l Centralized device: Up to two different userlog log hosts can be specified. l Distributed or stacking device: Up to two different userlog log hosts can be specified for each card. To avoid collision with the common UDP port numbers, you are recommended to use a UDP port number in the range from 1025 to 65535. |
Loghost 2 |
|
Output flows logs to information center |
Set to output flow logs to the information center in the format of system information. l With this function enabled, flow logs will not be output to the specified userlog log host. l Outputting flow logs to the information center occupies the storage space of the device. Therefore, you are recommended to output flow logs to the information center in case that there are a small amount of flow logs. |
If you set to send flow logs in UDP packets to the specified userlog log host, you can view the related statistics, including the total number of flow logs sent to the log host, the total number of UDP packets and the total number of flow logs stored on the device cache.
If you click the Statistics expansion button on the Flow Log page, you can view the information as shown in Figure 1-3.
l Centralized device: You can clear all the flow logging statistics of the device and the flow logs in the cache by clicking Reset.
l Distributed or stacking device: You can clear all the flow logging statistics of a card and the flow logs in the cache by clicking Reset.
Figure 1-3 View flow logging statistics
Session logging records users’ access information, IP address translation information, and traffic information, and can output the records in a specific format to a log host, allowing administrators to perform security auditing.
Session logging records an entry for a session if it reaches the specified threshold. Session logging supports two categories of thresholds:
l Time threshold: When the lifetime of a session reaches this threshold, a log entry is output for the session.
l Traffic threshold: The traffic threshold can be in units of the number of bytes or the number of packets. When the traffic of a session reaches the specified number of bytes or packets, a log entry is output for the session.
l For information about session management, refer to Session Management.
l Session logs are output in the format of flow logs. To view session logs, you also need to configure flow logging.
Perform the tasks in Table 1-5 to configure session logging.
Table 1-5 Session logging configuration task list
Task |
Remarks |
Required Configure a session logging policy, specifying the source zone and destination zone of the sessions and the ACL for filtering log entries. By default, no session logging policy exists. |
|
Required Configure the time threshold or/and traffic threshold for session logging. By default, both the time threshold and traffic threshold are 0, meaning that no session logging entries should be output. If both the time threshold and traffic threshold are configured, a log entry is output for the session when it reaches whichever threshold and the statistics of the session will be cleared. |
Select Log Report > Session Log > Log Policy from the navigation tree to display existing session logging policies, as shown in Figure 1-4. Then, click Add to enter the session logging policy configuration page, as shown in Figure 1-5.
Figure 1-4 Session logging policy list
Figure 1-5 Create a session logging policy
Table 1-6 describes the configuration items for configuring a session logging policy.
Table 1-6 Configuration items for configuring a session logging policy
Item |
Description |
Source Zone |
Specify the source zone and destination zone. You can configure an optional security zone through System > Zone. |
Destination Zone |
|
ACL |
Specify the ACL for filtering log entries. Only log entries permitted by the ACL will be output. |
Return to Session logging configuration task list.
Select Log Report > Session Log > Global Setup from the navigation tree to enter the page for setting session logging thresholds, as shown in Figure 1-6.
Figure 1-6 Global configuration page
Table 1-7 describes the configuration items for setting session logging thresholds.
Table 1-7 Configuration items for setting session logging thresholds
Item |
Description |
Time Threshold |
Set the time threshold for outputting session logging entries. With this argument set, log entries will be output for sessions whose lifetimes reach the specified time threshold. |
Traffic Threshold |
Set the traffic threshold for outputting session logging entries. It can be in number of packets or bytes. With the traffic threshold set, log entries will be output for sessions whose traffic reaches the specified threshold in number of bytes or packets. Support for this feature depends on the device model. |
Return to Session logging configuration task list.
The log report module allows you to view the log information on the device, and you can view the following logs through the Web interface:
l System logs
l Connection limit logs
l Attack prevention logs
l Blacklist logs
l Inter-zone policy logs
l User logs
Select Log Report > Report > System Log from the navigation tree to enter the page as shown in Figure 1-7.
Figure 1-7 Operation log configuration page
Table 1-8 describes the system log configuration items.
Table 1-8 System log configuration items
Item |
Description |
Time/Date |
Displays the time when the system logs are generated. |
Source |
Displays the module that generates the system logs. |
Level |
Displays the severity level of the system logs. For the detailed description of the severity levels, refer to Table 1-9. |
Description |
Displays the contents of the system logs. |
Table 1-9 System log severity level
Severity level |
Description |
Value |
Emergency |
The system is unavailable. |
0 |
Alert |
Information that demands prompt reaction |
1 |
Critical |
Critical information |
2 |
Error |
Error information |
3 |
Warning |
Warnings |
4 |
Notification |
Normal information that needs to be noticed |
5 |
Informational |
Informational information to be recorded |
6 |
Debugging |
Information generated during debugging |
7 |
Note: A smaller value represents a higher severity level. |
Select Log Report > Report > Connection Limit Log from the navigation tree to enter the page as shown in Figure 1-8.
Figure 1-8 Connection limit log configuration page
Table 1-10 describes the connection limit log configuration items.
Table 1-10 Connection limit log configuration items
Item |
Description |
Time/Date |
Displays the time when the connection limit logs are generated. |
Type |
Displays the types of the traffic alarms: The number of source IP-based connections exceeds the upper limit or the number of destination IP-based connections exceeds the upper limit. |
Source Zone |
Displays the source zone of the connection. |
Source IP |
Displays the source IP address of the connection. |
Destination Zone |
Displays the destination zone of the connection. |
Destination IP |
Displays the destination IP address of the connection. |
Current Rate |
Displays the rate of the current connection. |
Current Connection |
Displays total number of the current connections. |
TCP Percentage |
Displays the percentage of TCP packets to the total packets. |
UDP Percentage |
Displays the percentage of UDP packets to the total packets. |
ICMP Percentage |
Displays the percentage of ICMP packets to the total packets. |
Select Log Report > Report > Attack Prevention Log from the navigation tree to enter the page as shown in Figure 1-9.
Figure 1-9 Attack prevention log configuration page
Table 1-11 describes the attack prevention log configuration items.
Table 1-11 Attack prevention log configuration items
Item |
Description |
Time |
Displays the time when attacks are detected. |
Type |
Displays the attack type. |
Interface |
Displays the interface that receives the attack packets. |
Source IP |
Displays the source IP address of the attack packets. |
Source MAC |
Displays the source MAC address of the attack packets. |
Destination IP |
Displays the destination IP address of the attack packets. |
Destination MAC |
Displays the destination MAC address of the attack packets. |
Speed |
Displays the connection speed of the attacks. |
Select Log Report > Report > Blacklist Log from the navigation tree to enter the page as shown in Figure 1-10.
Figure 1-10 Blacklist log configuration page
Table 1-12 describes the blacklist log configuration items.
Table 1-12 Blacklist log configuration items
Item |
Description |
Time/Date |
Displays the time when the blacklist members are generated. |
Mode |
Displays whether the blacklist members are newly added or removed. |
Source IP |
Displays the IP addresses of the blacklist members. |
Reason |
Displays the reasons why the addresses are added to the blacklist, including manual add and automatic add: l Automatic add means that the system automatically adds the source IP address to the blacklist. l Manual add means that the blacklist is manually added through Web interface. |
Hold Time |
Displays the hold time of the blacklist members. |
Inter-zone logs are logs of the flows matching an inter-zone policy. To record inter-zone policy logs, you need to enable the Syslog function when configuring an inter-zone policy. For the detailed configuration, refer to Inter-Zone Policy Configuration.
Select Log Report > Report > InterZone Policy Log from the navigation tree to enter the page as shown in Figure 1-11.
Figure 1-11 Inter-zone policy log configuration page
Table 1-13 describes the inter-zone policy log configuration items.
Table 1-13 Inter-zone policy log configuration items
Item |
Description |
Start Time |
Displays the time when the flows are created. |
End Time |
Displays the time when the flows are removed. |
Source Zone |
Displays the source zone of the flows. |
Destination Zone |
Displays the destination zone of the flows. |
Policy ID |
Displays the ID of the inter-zone policy that the flows match. |
Action |
Displays the actions taken against the flows, permitted or denied. |
Protocol Type |
Displays the protocol type of the flows. |
Flow Information |
Displays the flow information. l If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69. l If the protocol type is ICMP, the displayed flow information is source IP address-->destination IP address,ICMP type (ICMP code), for example, 1.1.1.2-->1.1.2.10, echo(8). l If the protocol type is another type except these three, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10. |
To display user logs through the Web interface, you need to configure outputting user logs to the information center.
Select Log Report > Report > Userlog from the navigation tree to enter the page for displaying flow logs. If you select the 1.0 radio box, the flow logging information will be displayed, as shown in Figure 1-12; if you select the 3.0 radio box, the flow logging 3.0 information will be displayed, as shown in Figure 1-13.
Figure 1-12 Flow logging 1.0 log report
Figure 1-13 Flow logging 3.0 log report
Table 1-14 and Table 1-15 describe the flow logging 1.0 and 3.0 configuration items respectively.
Table 1-14 Flow logging 1.0 configuration items
Item |
Description |
Time/Date |
Displays the time and date when a flow log was generated. |
Protocol Type |
Displays the protocol type of a flow log. |
Flow Information |
Displays flow information: l If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69. l If the protocol type is another type except TCP or UDP, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10. |
Start Time |
Displays the time when a flow was created. |
End Time |
Displays the time when a flow was removed. |
Flow Action |
Displays the operator field of a flow. l (1)Normal over: The flow ended normally. l (2)Aged for timeout: Timer timed out. l (3)Aged for reset or config-change: Flow aging due to configuration change. l (4)Aged for no enough resource: Flow aging due to insufficient resource. l (5)Aged for no-pat of NAT: One to one NAT. In this case, only the source IP address, the source IP address after translation and the time fields are available. l (6)Active data flow timeout: The life time of the flow reached the limit. l (8)Data flow created: Record for the flow when it was created. l (254)Other: Other reasons |
Table 1-15 Flow logging 3.0 configuration items
Item |
Description |
Time/Date |
Displays the time and date when a flow log was generated. |
Protocol Type |
Displays the protocol type of a flow. |
Flow Information |
Displays the flow information. l If the protocol type is TCP or UDP, the displayed flow information is source IP address:source port-->destination IP address:destination port, for example, 1.1.1.2:1026-->1.1.2.10:69. l If the protocol type is another type except TCP or UDP, the displayed flow information is source IP address-->destination IP address, for example, 1.1.1.2-->1.1.2.10. |
Received Packets/Bytes |
Displays the number of received packets/bytes. |
Send Packets/Bytes |
Displays the number of sent packets/bytes. |
Source VPN |
Displays the source VPN of the packets. |
Destination VPN |
Displays the destination VPN of the packets. |
Start Time |
Displays the time when a flow was created. |
End Time |
Displays the time when a flow was removed. |
Flow Action |
Displays the operator field of a flow. l (1)Normal over: The flow ended normally. l (2)Aged for timeout: Timer timed out l (3)Aged for reset or config-change: Flow aging due to configuration change l (4)Aged for no enough resource: Flow aging due insufficient resource l (5)Aged for no-pat of NAT: One to one NAT. In this case, only the source IP address, the source IP address after translation and the time fields are available. l (6)Active data flow timeout: The life time of the flow reached the limit. l (8)Data flow created: Record for the flow when it was created. l (254)Other: Other reasons |