INDEX   TOC
1:1
  nat
a record
  keyword
about
ac
accept
access
  to card reader
ad
add
  contact in messenger
address range
  keyword
address
  redirect
add
  sip users
  static routes
  user
administration
  firewall
adsl modem
  bridge
  operation
adsl
  connection
  keyword
  overview
  services
  settings
air
alt cfg
altconf
appliance control
  sip
application support
auto login
  enable
auto-login
  settings
back panel
blo
blocked
block
  firewall
brd
bridge
  adsl modem
broadband
  security
browser configuration
buttons
cables
  overview
call
  sip address (messenger)
cfg
change
  firewall rules
  firewall settings
  language
  log, online manual
  security profile
  wan interface
check
  ip address
cli
client
  configuration (mac)
  configuration (win)
clone mac address
  settings
codes
  error
code
  upgrade
command & conquer III
command line
  interface
compatibility
configuration
  browser
  keys
  macintosh client
  remote
configurations
  adsl
  interface
configuration
  sip
configurations
  network
configuration
  tcp/ip
  windows client
configure
  firewall
  subnet mask
connection
  to internet
connectors
connect
  to web server
  usb
construe
  security log
contact
  add in messenger
contents
control
  sip users
cross-over
  keyword
daddr
dc
deactivate
  adsl modem
decode
  security log
default settings
delete
  static routes
delta force
deny
descent 3
destination
dhcp
  keyword
  turn off (web)
dhp
dhp lan err
diagnostic test
direct x
disable
  dhcp (web)
  sip support
display
dmz
  enable
  keyword
documentation
  feedback
domain
  sip
dot-test
dport
driver
  smart card
dslam
dynamic ip
  keyword
dynamic
  dns
dyndns
edit
  rules
  security profile
elucidate
  security log
email
  notification
enable
  sip support
error codes
et1
  indicator
et2
  indicator
exp
explain
  security log
export
  firewall log
  security profile
factory default
faq
feedback
  documentation
filter
firewall log
  export
firewall rules
  change
  settings
  syntax
firewall
  administrate
  block
  connect server
  log
  security level
  technologies
  technology
firmware
  keyword
  upgrade
  version
flags
free
  sip accounts
frequently asked questions
front panel
ftp
  file transfer protocol
  keyword
full-text search
help
hi
high
home
hub
  keyword
icmpcode
icmptype
icq
  support
  support
import
  security profile
index
indicators
inspect
install
  smart card reader
instant messaging
  keyword
interface
  keyword
  web
internet connection
ip address
  check
  multiple wan
  renew
  show (wan)
  show (lan)
ip alias
ipsec
  client set-up
  keyword
  vpn
ip
  telephony
keep alive
  enable
keep-alive
  settings
key configuration
keys
lan
lan err
language
  change
lan
  setup (overview)
leds
line
lo
local network
login
  automatic
log
  security
  system
low
lq
mac address
  keyword
  settings
macintosh
  client configuration
manual
  change log
mask
  set
  show
messenger
  add contact
  microsoft
microsoft
  messenger
modem
  operation
modify
msn
  messenger
multiple
  wan ip addresses
nat
  1:1
  keyword
network
network gaming
network server
network
  settings
  setup (overview)
new
  manual change log
notification
  email
off
  dhcp
on
  dhcp
online help
operation
  modem
operator
  settings
package
packet filtering
  keyword
packet filtring
  firewall technology
panel keys
Password
  Change
pdu
phone
play games
port redirection
port
  keyword
ports
  common
  redirect
pppoa
  keyword
  settings
pppoe
  keyword
  settings
pptp
  client set-up
  keyword
  vpn
presence
  keyword
profile
  bridge
  change
  change
  export
  import
proto
protocol
  redirect
protocols
  ftp
protocol
  sip
proxy
  firewall technology
  keyword
red alert
redirect ports
redirect
  protocol
  address
register
  allow users
remote configuration
remove
  static routes
  user
render
  security log
renew ip address
  Procedures
requirements
reset
  modem
routes
  add or delete
rst
rules
  syntax
rx
rxd
saddr
sc
  led
search
security level
  set
security log
  export
  interpret
security profile
  change
  edit
  export
  import
  overview
security
  broadband
  log
  settings
  smart card reader
select
server
  setup
  sip
services
  sip
session initiation protocol
  support
sessions
  current sip
set
set up
set
  default
  dhcp on
  dhcp off
  ip address
  subnet mask
  security level
settings
  adsl
  network
  security
  sip
setup
  network (overview)
show
  ip (lan)
  mask
  subnet mask
  ip address (wan)
sip address
  call (messenger)
sip proxy
  keyword
sip registrar
  keyword
sip
  appliance control
  components
  configuration
  current sessions
  current users
  enable
  disable
  free address
  implementation
  keyword
  server
  domain
  services
  support
  users allowed
smart card reader
  install
  restrict access
  security
  technical data
  test
  uninstall
  upgrade driver
smart card
  keyword
software
  upgrade
  version
source
specification
speed
splitter
  keyword
sport
srv record
  keyword
start
stateful inspection
  firewall technology
  keyword
static ip
  keyword
static routes
  add or delete
stop all traffic
straight-through
  keyword
subnet mask
  set
  show
support
  applications
  faq
  games
  remote configuration
  system log
syntax
  firewall rule
system requirements
system
  log
tab
tcp/ip
  configuration
tcpflags
tcp
  inactivity timeout
technical specification
technology
  firewall
telephony
  ip
telnet
  interface
test
  card reader
timeout
  tcp inactivity
toc
tos
traffic
  stop
troubleshooting
  diagnostic test
  overview
  smart card
troubleshootingt
  system log
trycard.exe
turn off
  dhcp
  dhcp (web)
turn on
  dhcp
tx
txd
uninstall
  smart card reader
untangle
  security log
update
  manual change log
upgrade
  firmware
  reader driver
usb
  connect
user
  add
  remove
users
  current sip
wan
  interface change
  mask
web configuration
web server
  on network
web
  interface
version
windows
  client configuration
  tcp/ip
vpn
  ipsec
  keyword
  pass through
  pptp

Interpret Security Log

The security log enables you to inspect the traffic which have been handled by the firewall. It shows the most important attributes for each packet and the action taken by the firewall for that packet.

Different information is given depending on the packet type, but some attributes are always logged; time when the packet was seen, interface the packet was seen on, direction of the packet, the packet's size in bytes and the protocol type.

In most cases the following is also logged; source and destination address.

Finally the action taken is logged, specified as a main action; accept, deny, drop or error followed by a more specific reason, e.g. "deny default rule".

This action is also broken down, showing in detail what decisions that were taken by the firewall. This includes which supervisor rule, flow (if any) and user rule (if any) that were matched. For each rule or flow information about the associated action or state is also logged.

Example - TCP connection establishment:

1) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept

This packet was received on et2 (the "i" after the names stands for "incoming") and is an IP packet from 192.168.0.2 to 1.2.3.4 with a length of 44 bytes. The IP packet contains a TCP SYN-segment (the "S" after "tcp:" is the SYN TCP-flag) from port 3263 to port 80 with a payload size of 0 bytes. The final action for the packet was an "ACCEPT rule" which means that a firewall rule was what made the firewall accept the packet.

2) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - u(1)modify f(c94954)init/syn-rcvd s(0)accept - MODIFY saddr 192.168.5.66 sport 60001

The first log entry (1) is immediately followed by the same packet, but this time it is transmitted on another interface ("et1", "o" as in "outgoing"). Furthermore it is MODIFY:ed (NAT:ed) so that the source address of the packet is that of the īs external IP address and the source port is taken from the "NAT pool".

3) 0d 22:28:14:et1i 1.2.3.4 > 192.168.5.66 (44) tcp: AS 80 > 60001 (0) - ACCEPT flow - s(1)accept f(c949a4)wait-syn-ack/syn-ack-rcvd - MODIFY daddr 192.168.0.2 dport 3263

This packet is the response to that in (1) and (2). Now both the S (SYN) and A (ACK) TCP-flags are set. It first matches supervisor rule 1 and then flow c949a4 which makes the final decision for the packet, resulting in a "ACCEPT flow" final action.

4) 0d 22:28:14:et2o 1.2.3.4 > 192.168.0.2 (44) tcp: AS 80 > 3263 (0) - ACCEPT rule - u(0)accept s(0)accept

This is the same packet as in (3) but forwarded to the et2 interface.

5) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept

This packet is the last in the TCP "3-way handshake" which completes the connection establishment. Now only the A (ACK) TCP-flag is set.

6) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - f(c94954)wait-ack/open s(0)accept - MODIFY saddr 192.168.5.66 sport 60001

This is the same packet as in (5), but forwarded to the et1 interface. It matches the same flow as the packet in (2) and the flow's state changes to "open".

General log entry format

Each log entry follows the same format ('' denotes variables, [] optional information {|} "selective" information, i.e. "one of".):

'time' : 'interface''dir' 'proto info' - 'action' [ - 'match info'] [ - 'sub action']

Overview of log entry components
'time' The time when the packet was logged expressed in days, hours, minutes and seconds after power on (uptime), e.g. "01d 12:34:56"
'interface' The name of the interface the packet was seen on, e.g. "et1"
'dir' Direction of the packet; i = incoming, o = outgoing, e.g "line i ".
'proto info' Protocol information - see table below.
'action' Final action taken by the firewall for the packet. Composed of a general action and, in some cases, a specific reason for why the action was taken, e.g. "DENY default rule".
'match info' (optional) What objects (rule, flow) in the firewall matched the packet? See below for more information.
'sub action' (optional) Any supplementary action taken for the packet. Sub action arguments are also logged, e.g. "MODIFY saddr 1.2.3.4" for (source) NAT:ed packets.

Protocol information format

IP packets:

'src ip addr' > 'dst ip addr' [#'id'] ('length'['more frags'@'offset']) 'proto': 'proto info'

Protocol information - IP
'src ip addr' Source IP address of packet, e.g. 192.168.0.2.
'dst ip addr' Destination IP address of packet.
'id' (optional; fragments only) IP datagram identification number (decimal), e.g. 34523.
'length' (non fragments) IP packet length (decimal). And offset (both decimal), e.g. 150 or 540-@1460
'more frags'@'offset' (fragments) Fragment information; 'more frags' indicates whether this is the last fragment ("-") or not ("+").
'proto' Procol type. Expressed as number (decimal) or name (for common protocols), e.g. 103 or "udp"
'proto info' Varies with protocol - see below.

ICMP packets:

'type'/'code' 'type name'

TCP segments:

'tcp flags' 'src port' > 'dst port' ('tcp length')

UDP datagrams:

'src port' > 'dst port' ('udp length')

Most other protocols are just logged as "(unhandled)"

Protocol information - TCP/UDP
'tcp flags' (TCP only) TCP flags; U = URG (urgent), A = ACK (acknowledge), P = PSH (push), R = RST (reset), S = SYN (synchronize), F = FIN ("finish"), e.g. "SA"
'sport' Source port (decimal), e.g. "2765".
'dport' Destination port (decimal), e.g. "80".
'tcp length', 'udp length' Length of payload (decimal), .e.g. "700".

ARP packets:

'arp op' 'src ip addr' 'dst ip addr'

Ethernet frames (undecoded):

'src ether addr' > 'dst ether addr' ('length') 'type'

Protocol information - Ethernet
'src ether addr' Source address (colon separated hexadecimal format)
'dst ether addr' Destination address.
'length' Length of frame (decimal).
'type' Type field (hexadecimal).

Matching information format

Describes what objects, i.e. which rule (through its filter specification) or flow (through its attributes), that matched the packet. (See firewall rule syntax for more information about rules and flows.)

Incoming packets:

s('super rule id')'action' {f('flow id')'old state'/'new state' | u('user rule id')'action'}

Outgoing packets:

{f('flow id')'old state'/'new state' | u('user rule id')'action'} s('super rule id')'action'

Match information
'super rule id' Supervisor rule id (decimal). Indicates which rule (0..n) that matched the packet. -1 indicates the "default rule", i.e. no rule matched.
'user rule id' (optional; only if no flow matched.) User rule id (decimal).
'action' The rule's associated action.
'flow id' (optional; only if a matching flow existed.) Flow id (hexadecimal). Indicates which flow that matched the packet.
'old state' Previous flow state (before the packet was inspected).
'new state' New flow state (after the packet was inspected).

Related Topics:

Activate Security Log
Change Security Log Level