You can view firewall events in the Activity Search Report. You can filter results for time frame and response, or search for specific domains, identities, or URLS. For information on viewing details of cloud-delivered firewall events, see View CDFW Events.
- View Firewall Logs in Activity Search
- Advanced Search Firewall Logs in Activity Search Report
- View CDFW Events in the App Discovery Report
- A minimum of Read Only access to the Umbrella dashboard. See Manage User Roles.
- Navigate to Reporting > Core Reports > Activity Search.
- Choose a time frame for the report. You can view the last 24 hours (default), Yesterday, Last 7 Days, Last 30 Days, or a Custom range.
- From the requests menu, choose Firewall.
- Filter results by the response type.
Select Allowed or Blocked and click Apply. By default, nothing is selected, so all responses are shown.
If Allowed is selected, click Advanced to choose further options. You have the option to see all allowed events, Allow-Security Overridden, or only events Allowed by security policies. For more information on the Allow-Security Override, see the Override Security section of Add Rules to a Ruleset. Click Apply to enable the advanced filter.
- Filter by application categories and click Apply.
The Activity Search Report displays events with the filters applied.
- Click the Action menu (three dots) and choose View Further Details to see more information on an event.
You can query the Activity Search Report for domains, identities, or URLs.
- Identity—Includes most identity types such as users (including SAML if enabled), networks, sites, and roaming clients. You can include and exclude identities from your search.
- IP—Search for events associated with IP addresses on your network (either internal or public egress IP address). This does not provide the capability to search for destination IP addresses.
- Application—Search by name to find a specific application.
- Port—Search by a firewall port number.
##View CDFW Events in the App Discovery Report
View details for firewall events where applications were blocked or allowed. For more information, see View CDFW Events.
Updated about 21 hours ago