Oracle Cloud Infrastructure Documentation

Details for Network Firewall Logs

Logging details for Network Firewall logs. Two types of customer logs are available: threat and traffic Logs.

Resources

  • NGFW

Log Categories

API value (ID): Console (Display Name) Description
threat-log Threat Log Provides details on received firewall threats.
traffic-log Traffic Log Provides details on traffic passing through the firewall.

Availability

Network Firewall logging is available in all the regions of the commercial realms.

Comments

Both Threat Logs and Traffic Logs are available. Logs are emitted to customers based on a five minute interval from the dataplane. The dataplane also registers logs as they're received.

Contents of a Network Firewall Threat Log

Property Description
datetime Timestamp when the log was received.
action
Action taken for the session. Values are, allow, deny, drop.
  • allow: Flood detection alert.
  • deny: Flood detection mechanism activated and deny traffic based on configuration.
  • drop: Threat detected and associated session was dropped.
device_name The hostname of the firewall on which the session was logged.
direction
Indicates the direction of the attack, whether client-to-server or server-to-client:
  • 0: Direction of the threat is client-to-server.
  • 1: Direction of the threat is server-to-client.
dst Original session destination IP address.
dstloc Destination country or internal region for private addresses. Maximum length is 32 bytes.
dstuser User name of the user to which the session was destined.
firewall-id OCID of the firewall.
proto IP protocol associated with the session.
receive_time Time the log was received at the management plane.
rule Name of the rule that the session matched.
sessionid An internal numerical identifier applied to each session.
severity Severity associated with the threat. Values are informational, low, medium, high, and critical.
src Original session source IP address.
srcloc Source country or internal region for private addresses. Maximum length is 32 bytes.
srcuser User name of the user who started the session.
subtype
Subtype of threat log. Values include the following:
  • data: Data pattern matching a Data Filtering profile.
  • file: File type matching a File Blocking profile.
  • flood: Flood detected through a Zone Protection profile.
  • packet: Packet-based attack protection triggered by a Zone Protection profile.
  • scan: Scan detected through a Zone Protection profile.
  • spyware: Spyware detected through an anti-spyware profile.
  • url: URL filtering log.
  • virus: Virus detected through an anti-virus profile.
  • vulnerability: Vulnerability exploit detected through a Vulnerability Protection profile.
thr_category Describes threat categories used to classify different types of threat signatures.
threatid
Palo Alto Networks identifier for the threat. A description string followed by a 64-bit numerical identifier in parentheses for some subtypes:
  • 8000-8099: Scan detection.
  • 8500-8599: Flood detection.
  • 9999: URL filtering log.
  • 10000-19999: Spyware phone home detection.
  • 20000-29999: Spyware download detection.
  • 30000-44999: Vulnerability exploit detection.
  • 52000-52999: File type detection.
  • 60000-69999: Data filtering detection.
id UUID of the log message.
compartmentid OCID of the compartment.
ingestedtime Timestamp when log was received by the Logging service.
loggroupid OCID of the log group.
logid OCID of the log object.
tenantid OCID of the tenant.
source OCID of the firewall.
specversion The version of the CloudEvents specification which the event uses. Enables the interpretation of the context.
time Timestamp when log was written.
type Type of the logs.
regionId OCID of the firewall region.

Contents of a Network Firewall Traffic Log

Property Description
datetime Timestamp when log was received.
action
Action taken for the session. Possible values are:
  • allow: Session allowed by policy.
  • deny: Session denied by policy.
  • drop: Session dropped silently.
  • drop ICMP: Session silently dropped with an ICMP unreachable message to the host or application.
  • reset both: Session ended and a TCP reset is sent to both sides of the connection.
bytes Number of total bytes (transmit and receive) for the session.
bytes_received Number of bytes in the server-to-client direction of the session.
bytes_sent Number of bytes in the client-to-server direction of the session.
chunks Sum of SCTP chunks sent and received for an association.
chunks_received Number of SCTP chunks sent for an association.
chunks_sent Number of SCTP chunks received for an association.
config_ver Configuration version.
device_name The hostname of the firewall on which the session was logged.
dport Destination port used by the session.
dst Original session destination IP address.
dstloc Destination country or internal region for private addresses. Maximum length is 32 bytes.
firewall-id OCID of the firewall.
packets Number of total packets (transmit and receive) for the session.
pkts_received Number of server-to-client packets for the session.
pkts_sent Number of client-to-server packets for the session.
proto IP protocol associated with the session.
receive_time Time the log was received at the management plane.
rule Name of the rule that the session matched.
rule_uuid The UUID that permanently identifies the rule.
serial Serial number of the firewall that generated the log.
sessionid An internal numerical identifier applied to each session.
sport Source port used by the session.
src Original session source IP address.
srcloc Source country or internal region for private addresses. Maximum length is 32 bytes.
time_received Time the log was received at the management plane.
id UUID of the log message.
compartmentid OCID of the compartment.
ingestedtime Timestamp when log was received by the Logging service.
loggroupid OCID of the log group.
logid OCID of the log object.
tenantid OCID of the tenant.
source OCID of the firewall.
specversion The version of the CloudEvents specification which the event uses. Enables the interpretation of the context.
time Timestamp when the log was written.
type Type of the logs.
regionId OCID of the firewall region.

Example Network Firewall Threat Log

{
  "datetime": 1684255949000,
  "logContent": {
    "data": {
      "action": "reset-both",
      "device_name": "<device_name>",
      "direction": "server-to-client",
      "dst": "192.0.1.168",
      "dstloc": "192.0.0.10-192.0.0.11",
      "dstuser": "no-value",
      "firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
      "proto": "tcp",
      "receive_time": "2023/05/16 16:52:29",
      "rule": "<rule_name>",
      "sessionid": "11804",
      "severity": "medium",
      "src": "192.0.2.168",
      "srcloc": "192.0.0.1-192.0.0.2",
      "srcuser": "no-value",
      "subtype": "vulnerability",
      "thr_category": "code-execution",
      "threatid": "Eicar File Detected"
    },
    "id": "<unique_ID>",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1..<unique_ID>",
      "ingestedtime": "2023-05-16T16:56:27.373Z",
      "loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
      "logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
      "tenantid": "ocid1.tenancy.oc1..<unique_ID>"
    },
    "source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
    "specversion": "1.0",
    "time": "2023-05-16T16:52:29.000Z",
    "type": "com.oraclecloud.networkfirewall.threat"
  },
  "regionId": "me-jeddah-1"
}

Example Network Firewall Traffic Log

{
  "datetime": 1684257454000,
  "logContent": {
    "data": {
      "action": "allow",
      "bytes": "6264",
      "bytes_received": "4411",
      "bytes_sent": "1853",
      "chunks": "0",
      "chunks_received": "0",
      "chunks_sent": "0",
      "config_ver": "2561",
      "device_name": "<device_name>",
      "dport": "<port_number>",
      "dst": "192.0.1.168",
      "dstloc": "192.0.0.1-192.0.0.2",
      "firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
      "packets": "28",
      "pkts_received": "12",
      "pkts_sent": "16",
      "proto": "tcp",
      "receive_time": "2023/05/16 17:17:34",
      "rule": "<rule_name>",
      "rule_uuid": "<rule_unique_ID>",
      "serial": "<serial_number>",
      "sessionid": "<session_ID>",
      "sport": "<port_number>",
      "src": "192.0.2.168",
      "srcloc": "192.0.0.10-192.0.0.11",
      "time_received": "2023/05/16 17:17:34"
    },
    "id": "<unique_ID>",
    "oracle": {
      "compartmentid": "ocid1.compartment.oc1..<unique_ID>",
      "ingestedtime": "2023-05-16T17:17:58.493Z",
      "loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
      "logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
      "tenantid": "ocid1.tenancy.oc1..<unique_ID>"
    },
    "source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
    "specversion": "1.0",
    "time": "2023-05-16T17:17:34.000Z",
    "type": "com.oraclecloud.networkfirewall.traffic"
  },
  "regionId": "me-jeddah-1"
}