Guides
ProductDeveloperPartnerPersonal
Guides
ProductDeveloperPartnerPersonal

Cloud Firewall Log Formats

Suggest Edits

Cloud Firewall logs show traffic that has been handled by network tunnels.

Table of Contents

Examples

"2024-06-14 18:59:57","[211039844]","Passive Monitor", "CDFW Tunnel Device","OUTBOUND","1","84","172.17.3.4","60951","146.112.255.129","443","ams1.edc","12","ALLOW","google.com,apple.com","44,66","1718391597","1718391597","3","3","1108","755","39-42","","","","","","","\[]","","","","2204063"

The example entry is 293 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the Cloud Firewall Log

<timestamp><origin IDs><identities><identity type><direction><protocol><packet size><source IP><source port><destination IP><destination port><data center><rule ID><action><fqdns><destination list IDs><first packet timestamp><last packet timestamp><packets sent><packets received><bytes sent><bytes received><fw event ID><destination country><app ID><aws region><private app group ID><private flow><posture ID><casi category IDs><traffic source><content category IDs><content category list IDs><organization ID>

Optional V11 Log Header Format

The CSV fields in the header row of the Optional Log Header.

"Timestamp","Origin IDs","Identities","Identity Types","Direction","Protocol","Packet Size","Source IP","Source Port","Destination IP","Destination Port","Data Center","Rule ID","Action","FQDNS","Destination List IDs","First Packet Timestamp","Last Packet Timestamp","Packets Sent","Packets Received","Bytes Sent","Bytes Received","FW Event ID","Destination Country","AWS Region","App ID","Private App ID","Private Flow","Posture ID","CASI Category IDs","Traffic Source","Content Category IDs","Content Category List IDs","Organization ID"
  • Timestamp—The timestamp of the request transaction in UTC.
  • Origin IDs—The unique identity of the network tunnel.
  • Identities—The names of the network tunnel.
  • Identity Type—The type of identity that made the request. Should always be "CDFW Tunnel Device".
  • Direction—The direction of the packet. It is destined either towards the internet or to the customer's network.
  • Protocol—The actual protocol of the traffic. It could be TCP, UDP, ICMP.
  • Packet Size—The size of the packet that Umbrella CDFW received.
  • Source IP—The internal IP address of the user-generated traffic towards the CDFW. If the traffic goes through NAT before it comes to CDFW, it will be the NAT IP address.
  • Source Port—The internal port number of the user-generated traffic towards the CDFW.
  • Destination IP—The destination IP address of the user-generated traffic towards the CDFW.
  • Destination Port—The destination port number of the user-generated traffic towards the CDFW.
  • Data Center—The name of the Umbrella data center that processed the user-generated traffic.
  • Rule ID—The ID of the rule that processed the user traffic.
  • Action—The final verdict whether to allow or block the traffic based on the rule.
  • FQDNs—The fully qualified domain names (FQDNs) that match the request.
  • Destination List IDs—The destination list IDs that Umbrella applied in the rule.
  • First Packet Timestamp—The timestamp when the first packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall.
  • Last Packet Timestamp The timestamp when the last packet of the session was received in UTC in seconds. Populated only for traffic handled by Cisco Secure Firewall.
  • Packets Sent—The number of packets sent during the session. Populated only for traffic handled by Cisco Secure Firewall.
  • Packets Received—The number of packets received during the session. Populated only for traffic handled by Cisco Secure Firewall.
  • Bytes Sent—The number of bytes sent during the session. Populated only for traffic handled by Cisco Secure Firewall.
  • Bytes Received—The number of bytes received during the session. Populated only for traffic handled by Cisco Secure Firewall.
  • FW Event ID—The ID of the firewall event. Populated only for traffic handled by Cisco Secure Firewall.
  • Destination Country—The ISO-3166 alpha-2 two-character identifier of the country associated with the destination IP.
  • AWS Region—The AWS region that stores your VPN logs.
  • Private Resource ID—The unique private resource ID identified for the current session.
  • Private App Group ID—The unique ID of the private resource group ID that the private resource belongs to.
  • Private FlowTRUE if Umbrella applied a private access rule to the user-generated traffic, and FALSE if Umbrella applied an internet access rule.
  • Posture ID—The unique ID of the endpoint posture profile.
  • CASI Category IDs—Name of the Application category to which the App ID belongs.
  • Traffic Source—The source of the user-generated traffic. Valid values are 0 - Unknown, 1 - VPN,2 – ZTNA, 3 - Network Tunnel.
  • Content Category IDs—ID of one or more content categories matched by the rule.
  • Content Category List IDs—ID of one or more content category lists that include categories matched by the rule.
  • Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID.

Admin Audit Log Formats < Cloud Firewall Log Formats > Data Loss Prevention (DLP) Log Formats

Updated 29 days ago