Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

Cloud Firewall Log Formats

Suggest Edits

Cloud Firewall logs show traffic that has been handled by network tunnels.

Table of Contents

Examples

"2019-01-14 18:03:46","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","","146.112.255.129", "","ams1.edc","12","ALLOW","google.com,apple.com","44,66"

The example entry is 188 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the Cloud Firewall Log

<timestamp><origin IDs><identities><identity type><direction><protocol><packet size><source IP><source port><destination IP><destination port><data center><rule ID><action><fqdns><destination list IDs>

  • Timestamp—The timestamp of the request transaction in UTC.
  • Origin IDs—The unique identity of the network tunnel.
  • Identities—The names of the network tunnel.
  • Identity Type—The type of identity that made the request. Should always be "CDFW Tunnel Device".
  • Direction—The direction of the packet. It is destined either towards the internet or to the customer's network.
  • Protocol—The actual protocol of the traffic. It could be TCP, UDP, ICMP.
  • Packet Size—The size of the packet that Umbrella CDFW received.
  • Source IP—The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
  • Source Port—The internal port number of the user-generated traffic towards the CDFW.
  • Destination IP—The destination IP address of the user-generated traffic towards the CDFW.
  • Destination Port—The destination port number of the user-generated traffic towards the CDFW.
  • Data Center—The name of the Umbrella data center that processed the user-generated traffic.
  • Rule ID—The ID of the rule that processed the user traffic.
  • Action—The final verdict whether to allow or block the traffic based on the rule.
  • FQDNs—The fully qualified domain names (FQDNs) that match the request.
  • Destination List IDs—The destination list IDs that Umbrella applied in the rule.

Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats

Updated about 2 months ago