Monitor Firewall Events
You are here: Monitor > Events > Firewall.
Use this page to view information about the security events based on Event name, Source address, Destination address, Applications, User, Service, Policy, Nested application, Source interface and Source zone.
Using the time-range slider, you can quickly focus on the time and area of activity that you are most interested in. Once the time range is selected, all of the data presented in your view is refreshed automatically. You can also use the Custom button to set a custom time range.
You can select either the Grid View tab or the Chart View tab to view your data:
Grid View—View the comprehensive details of firewall events in a tabular format that includes sortable columns. You can group the events using the Group By option. For example, you can group the events based on source country. The table includes information such as the event name, source IP, destination country, and so on. Table 1 describes the fields on the Grid View page.
Chart View—View a brief summary of all the firewall events in your network. The top of the page has a swim lane graph of all the firewall events. You can use the widgets at the bottom of the page to view critical information such as, top sources, top destinations, and top users.Table 2 describes the widgets on the Chart View page.
Table 1: Firewall—Fields on the Grid View Page
Field | Description |
|---|---|
The filter that is displayed above the grids. | Displays the options available in the filter list are:
Select the criteria or parameter on which you want to construct the filter statement. |
Text box | Displays the filter parameter that you selected from the filter list. Note: In the filter statement the following limitation exists.
For example, if you have used & operator and the parameter event-name once, you cannot use them again in the same filter statement CORRECT USAGE: event name = rt_flow_session_close & application=TELNET WRONG USAGE: event name = rt_flow_session_close & event-name = rt_flow_session_create WRONG USAGE : event name = rt_flow_session_close & source-address = x.x.x.x & application = TELNET Note: The filter statement is NOT case-sensitive. Add the parameter for which you want to filter. For example, in the filter list if you selected event-name as the parameter, the text box displays event-name =. If you add rt_flow_session_close to see only Firewall events then the text box displays event name = rt_flow_session_close. |
Go | Executes the filter statement that is displayed in the text box. Click Go. |
X | Clears the filters. Click X. |
Show Hide Column Filter icon represented by three vertical dots | Enables you to show or hide a column in the grid. |
Threat Severity | Displays the severity level of the threat |
Description | Displays the description of the log. |
Attack Name | Displays the attack name of the log. |
UTM Category or Virus Name | Displays the UTM category of the log. |
Event Category | Displays the event category of the log. |
Source IP | Displays the source IP address from where the event occurred. |
Source Port | Displays the source port of the event. |
Application | Displays the application name from which the events or logs are generated. |
User Name | Displays the user name from whom the log is generated. |
Host Name | Displays the host name in the log. |
Service Name | Displays the name of the application service. For example, FTP, HTTP, SSH, and so on. |
Protocol ID | Displays the protocol ID in the log. |
Policy Name | Displays the policy name in the log. |
Destination Zone | Displays the destination zone of the log. |
Roles | Displays the role names associated with the event. |
Reason | Displays the reason for the log generation. For example, a connection tear down may have an associated reason such as authentication failed. |
NAT Source Port | Displays the translated source port. |
NAT Destination Port | Displays the translated destination port. |
NAT Source Rule Name | Displays the NAT source rule name. |
NAT Destination Rule Name | Displays the NAT destination rule name. |
NAT Source IP | Displays the translated (or natted) source IP address. It can contain IPv4 or IPv6 addresses. |
NAT Destination IP | Displays the translated (also called natted) destination IP address. |
Traffic Session ID | Displays the traffic session ID of the log. |
URL | Displays the accessed URL name that triggered the event. |
Object Name | Displays the object name of the log. |
Path Name | Displays the path name of the log. |
Logical System Name | Displays the name of the logical system. |
Rule Name | Displays the rule name of the log. |
Action | Displays the action taken for the event: warning, allow, and block. |
Profile Name | Displays the profile name in the log. |
Time | Displays the time when the log was received. |
Source IP | Displays the source IP address from where the event occurred. |
Destination Country | Displays the destination country name from where the event occurred. |
Destination IP | Displays the destination IP address of the event. |
Destination Port | Displays the destination port of the event. |
Table 2: Firewall—Widgets on the Chart View Page
Field | Description |
|---|---|
Top Sources | Displays the top five source IP addresses of the network traffic; sorted by event count. |
Top Destinations | Displays the top five destination IP addresses of the network traffic; sorted by event count. |
Top Users | Displays the top five users of the network traffic; sorted by event count. |