![]() INDEX TOC |
1:1
nat a record keyword about ac accept access to card reader ad add contact in messenger address range keyword address redirect add sip users static routes user administration firewall adsl modem bridge operation adsl connection keyword overview services settings air alt cfg altconf appliance control sip application support auto login enable auto-login settings back panel blo blocked block firewall brd bridge adsl modem broadband security browser configuration buttons cables overview call sip address (messenger) cfg change firewall rules firewall settings language log, online manual security profile wan interface check ip address cli client configuration (mac) configuration (win) clone mac address settings codes error code upgrade command & conquer III command line interface compatibility configuration browser keys macintosh client remote configurations adsl interface configuration sip configurations network configuration tcp/ip windows client configure firewall subnet mask connection to internet connectors connect to web server usb construe security log contact add in messenger contents control sip users cross-over keyword daddr dc deactivate adsl modem decode security log default settings delete static routes delta force deny descent 3 destination dhcp keyword turn off (web) dhp dhp lan err diagnostic test direct x disable dhcp (web) sip support display dmz enable keyword documentation feedback domain sip dot-test dport driver smart card dslam dynamic ip keyword dynamic dns dyndns edit rules security profile elucidate security log notification enable sip support error codes et1 indicator et2 indicator exp explain security log export firewall log security profile factory default faq feedback documentation filter firewall log export firewall rules change settings syntax firewall administrate block connect server log security level technologies technology firmware keyword upgrade version flags free sip accounts frequently asked questions front panel ftp file transfer protocol keyword full-text search help hi high home hub keyword icmpcode icmptype icq support support import security profile index indicators inspect install smart card reader instant messaging keyword interface keyword web internet connection ip address check multiple wan renew show (wan) show (lan) ip alias ipsec client set-up keyword vpn ip telephony keep alive enable keep-alive settings key configuration keys lan lan err language change lan setup (overview) leds line lo local network login automatic log security system low lq mac address keyword settings macintosh client configuration manual change log mask set show messenger add contact microsoft microsoft messenger modem operation modify msn messenger multiple wan ip addresses nat 1:1 keyword network network gaming network server network settings setup (overview) new manual change log notification off dhcp on dhcp online help operation modem operator settings package packet filtering keyword packet filtring firewall technology panel keys Password Change pdu phone play games port redirection port keyword ports common redirect pppoa keyword settings pppoe keyword settings pptp client set-up keyword vpn presence keyword profile bridge change change export import proto protocol redirect protocols ftp protocol sip proxy firewall technology keyword red alert redirect ports redirect protocol address register allow users remote configuration remove static routes user render security log renew ip address Procedures requirements reset modem routes add or delete rst rules syntax rx rxd saddr sc led search security level set security log export interpret security profile change edit export import overview security broadband log settings smart card reader select server setup sip services sip session initiation protocol support sessions current sip set set up set default dhcp on dhcp off ip address subnet mask security level settings adsl network security sip setup network (overview) show ip (lan) mask subnet mask ip address (wan) sip address call (messenger) sip proxy keyword sip registrar keyword sip appliance control components configuration current sessions current users enable disable free address implementation keyword server domain services support users allowed smart card reader install restrict access security technical data test uninstall upgrade driver smart card keyword software upgrade version source specification speed splitter keyword sport srv record keyword start stateful inspection firewall technology keyword static ip keyword static routes add or delete stop all traffic straight-through keyword subnet mask set show support applications faq games remote configuration system log syntax firewall rule system requirements system log tab tcp/ip configuration tcpflags tcp inactivity timeout technical specification technology firewall telephony ip telnet interface test card reader timeout tcp inactivity toc tos traffic stop troubleshooting diagnostic test overview smart card troubleshootingt system log trycard.exe turn off dhcp dhcp (web) turn on dhcp tx txd uninstall smart card reader untangle security log update manual change log upgrade firmware reader driver usb connect user add remove users current sip wan interface change mask web configuration web server on network web interface version windows client configuration tcp/ip vpn ipsec keyword pass through pptp |
![]() |
Interpret Security Log The security log enables you to inspect the traffic which have been handled by the firewall. It shows the most important attributes for each packet and the action taken by the firewall for that packet. Different information is given depending on the packet type, but some attributes are always logged; time when the packet was seen, interface the packet was seen on, direction of the packet, the packet's size in bytes and the protocol type. In most cases the following is also logged; source and destination address. Finally the action taken is logged, specified as a main action; accept, deny, drop or error followed by a more specific reason, e.g. "deny default rule". This action is also broken down, showing in detail what decisions that were taken by the firewall. This includes which supervisor rule, flow (if any) and user rule (if any) that were matched. For each rule or flow information about the associated action or state is also logged. Example - TCP connection establishment: 1) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept This packet was received on et2 (the "i" after the names stands for "incoming") and is an IP packet from 192.168.0.2 to 1.2.3.4 with a length of 44 bytes. The IP packet contains a TCP SYN-segment (the "S" after "tcp:" is the SYN TCP-flag) from port 3263 to port 80 with a payload size of 0 bytes. The final action for the packet was an "ACCEPT rule" which means that a firewall rule was what made the firewall accept the packet. 2) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (44) tcp: S 3263 > 80 (0) - ACCEPT rule - u(1)modify f(c94954)init/syn-rcvd s(0)accept - MODIFY saddr 192.168.5.66 sport 60001 The first log entry (1) is immediately followed by the same packet, but this time it is transmitted on another interface ("et1", "o" as in "outgoing"). Furthermore it is MODIFY:ed (NAT:ed) so that the source address of the packet is that of the īs external IP address and the source port is taken from the "NAT pool". 3) 0d 22:28:14:et1i 1.2.3.4 > 192.168.5.66 (44) tcp: AS 80 > 60001 (0) - ACCEPT flow - s(1)accept f(c949a4)wait-syn-ack/syn-ack-rcvd - MODIFY daddr 192.168.0.2 dport 3263 This packet is the response to that in (1) and (2). Now both the S (SYN) and A (ACK) TCP-flags are set. It first matches supervisor rule 1 and then flow c949a4 which makes the final decision for the packet, resulting in a "ACCEPT flow" final action. 4) 0d 22:28:14:et2o 1.2.3.4 > 192.168.0.2 (44) tcp: AS 80 > 3263 (0) - ACCEPT rule - u(0)accept s(0)accept This is the same packet as in (3) but forwarded to the et2 interface. 5) 0d 22:28:14:et2i 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - s(0)accept u(2)accept This packet is the last in the TCP "3-way handshake" which completes the connection establishment. Now only the A (ACK) TCP-flag is set. 6) 0d 22:28:14:et1o 192.168.0.2 > 1.2.3.4 (40) tcp: A 3263 > 80 (0) - ACCEPT rule - f(c94954)wait-ack/open s(0)accept - MODIFY saddr 192.168.5.66 sport 60001 This is the same packet as in (5), but forwarded to the et1 interface. It matches the same flow as the packet in (2) and the flow's state changes to "open". General log entry format Each log entry follows the same format ('' denotes variables, [] optional information {|} "selective" information, i.e. "one of".): 'time' : 'interface''dir' 'proto info' - 'action' [ - 'match info'] [ - 'sub action']
Protocol information format IP packets: 'src ip addr' > 'dst ip addr' [#'id'] ('length'['more frags'@'offset']) 'proto': 'proto info'
ICMP packets: 'type'/'code' 'type name' TCP segments: 'tcp flags' 'src port' > 'dst port' ('tcp length') UDP datagrams: 'src port' > 'dst port' ('udp length') Most other protocols are just logged as "(unhandled)"
ARP packets: 'arp op' 'src ip addr' 'dst ip addr' Ethernet frames (undecoded): 'src ether addr' > 'dst ether addr' ('length') 'type'
Matching information format Describes what objects, i.e. which rule (through its filter specification) or flow (through its attributes), that matched the packet. (See firewall rule syntax for more information about rules and flows.) Incoming packets: s('super rule id')'action' {f('flow id')'old state'/'new state' | u('user rule id')'action'} Outgoing packets: {f('flow id')'old state'/'new state' | u('user rule id')'action'} s('super rule id')'action'
Related Topics: |