Details for Network Firewall Logs
Logging details for Network Firewall logs. Two types of customer logs are available: threat and traffic Logs.
Resources
- NGFW
Log Categories
API value (ID): | Console (Display Name) | Description |
---|---|---|
threat-log | Threat Log | Provides details on received firewall threats. |
traffic-log | Traffic Log | Provides details on traffic passing through the firewall. |
Availability
Network Firewall logging is available in all the regions of the commercial realms.
Comments
Both Threat Logs and Traffic Logs are available. Logs are emitted to customers based on a five minute interval from the dataplane. The dataplane also registers logs as they're received.
Contents of a Network Firewall Threat Log
Property | Description |
---|---|
datetime | Timestamp when the log was received. |
action |
Action taken for the session. Values are, allow, deny, drop.
|
device_name | The hostname of the firewall on which the session was logged. |
direction |
Indicates the direction of the attack, whether client-to-server or server-to-client:
|
dst | Original session destination IP address. |
dstloc | Destination country or internal region for private addresses. Maximum length is 32 bytes. |
dstuser | User name of the user to which the session was destined. |
firewall-id | OCID of the firewall. |
proto | IP protocol associated with the session. |
receive_time | Time the log was received at the management plane. |
rule | Name of the rule that the session matched. |
sessionid | An internal numerical identifier applied to each session. |
severity | Severity associated with the threat. Values are informational, low, medium, high, and critical. |
src | Original session source IP address. |
srcloc | Source country or internal region for private addresses. Maximum length is 32 bytes. |
srcuser | User name of the user who started the session. |
subtype |
Subtype of threat log. Values include the following:
|
thr_category | Describes threat categories used to classify different types of threat signatures. |
threatid |
Palo Alto Networks identifier for the threat. A description string followed by a 64-bit numerical identifier in parentheses for some subtypes:
|
id | UUID of the log message. |
compartmentid | OCID of the compartment. |
ingestedtime | Timestamp when log was received by the Logging service. |
loggroupid | OCID of the log group. |
logid | OCID of the log object. |
tenantid | OCID of the tenant. |
source | OCID of the firewall. |
specversion | The version of the CloudEvents specification which the event uses. Enables the interpretation of the context. |
time | Timestamp when log was written. |
type | Type of the logs. |
regionId | OCID of the firewall region. |
Contents of a Network Firewall Traffic Log
Property | Description |
---|---|
datetime | Timestamp when log was received. |
action |
Action taken for the session. Possible values are:
|
bytes | Number of total bytes (transmit and receive) for the session. |
bytes_received | Number of bytes in the server-to-client direction of the session. |
bytes_sent | Number of bytes in the client-to-server direction of the session. |
chunks | Sum of SCTP chunks sent and received for an association. |
chunks_received | Number of SCTP chunks sent for an association. |
chunks_sent | Number of SCTP chunks received for an association. |
config_ver | Configuration version. |
device_name | The hostname of the firewall on which the session was logged. |
dport | Destination port used by the session. |
dst | Original session destination IP address. |
dstloc | Destination country or internal region for private addresses. Maximum length is 32 bytes. |
firewall-id | OCID of the firewall. |
packets | Number of total packets (transmit and receive) for the session. |
pkts_received | Number of server-to-client packets for the session. |
pkts_sent | Number of client-to-server packets for the session. |
proto | IP protocol associated with the session. |
receive_time | Time the log was received at the management plane. |
rule | Name of the rule that the session matched. |
rule_uuid | The UUID that permanently identifies the rule. |
serial | Serial number of the firewall that generated the log. |
sessionid | An internal numerical identifier applied to each session. |
sport | Source port used by the session. |
src | Original session source IP address. |
srcloc | Source country or internal region for private addresses. Maximum length is 32 bytes. |
time_received | Time the log was received at the management plane. |
id | UUID of the log message. |
compartmentid | OCID of the compartment. |
ingestedtime | Timestamp when log was received by the Logging service. |
loggroupid | OCID of the log group. |
logid | OCID of the log object. |
tenantid | OCID of the tenant. |
source | OCID of the firewall. |
specversion | The version of the CloudEvents specification which the event uses. Enables the interpretation of the context. |
time | Timestamp when the log was written. |
type | Type of the logs. |
regionId | OCID of the firewall region. |
Example Network Firewall Threat Log
{
"datetime": 1684255949000,
"logContent": {
"data": {
"action": "reset-both",
"device_name": "<device_name>",
"direction": "server-to-client",
"dst": "192.0.1.168",
"dstloc": "192.0.0.10-192.0.0.11",
"dstuser": "no-value",
"firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"proto": "tcp",
"receive_time": "2023/05/16 16:52:29",
"rule": "<rule_name>",
"sessionid": "11804",
"severity": "medium",
"src": "192.0.2.168",
"srcloc": "192.0.0.1-192.0.0.2",
"srcuser": "no-value",
"subtype": "vulnerability",
"thr_category": "code-execution",
"threatid": "Eicar File Detected"
},
"id": "<unique_ID>",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..<unique_ID>",
"ingestedtime": "2023-05-16T16:56:27.373Z",
"loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
"logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
"tenantid": "ocid1.tenancy.oc1..<unique_ID>"
},
"source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"specversion": "1.0",
"time": "2023-05-16T16:52:29.000Z",
"type": "com.oraclecloud.networkfirewall.threat"
},
"regionId": "me-jeddah-1"
}
Example Network Firewall Traffic Log
{
"datetime": 1684257454000,
"logContent": {
"data": {
"action": "allow",
"bytes": "6264",
"bytes_received": "4411",
"bytes_sent": "1853",
"chunks": "0",
"chunks_received": "0",
"chunks_sent": "0",
"config_ver": "2561",
"device_name": "<device_name>",
"dport": "<port_number>",
"dst": "192.0.1.168",
"dstloc": "192.0.0.1-192.0.0.2",
"firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"packets": "28",
"pkts_received": "12",
"pkts_sent": "16",
"proto": "tcp",
"receive_time": "2023/05/16 17:17:34",
"rule": "<rule_name>",
"rule_uuid": "<rule_unique_ID>",
"serial": "<serial_number>",
"sessionid": "<session_ID>",
"sport": "<port_number>",
"src": "192.0.2.168",
"srcloc": "192.0.0.10-192.0.0.11",
"time_received": "2023/05/16 17:17:34"
},
"id": "<unique_ID>",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..<unique_ID>",
"ingestedtime": "2023-05-16T17:17:58.493Z",
"loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
"logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
"tenantid": "ocid1.tenancy.oc1..<unique_ID>"
},
"source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"specversion": "1.0",
"time": "2023-05-16T17:17:34.000Z",
"type": "com.oraclecloud.networkfirewall.traffic"
},
"regionId": "me-jeddah-1"
}