|
Generated Time (time_generated or cef-formatted-time_generated)
|
Time the log was generated on the dataplane.
|
|
Source Address (src_ip)
|
Original session source IP address.
|
|
Source port (sport)
|
Source port utilized by the session.
|
|
Session ID (sessionid)
|
An internal numerical identifier is applied to each session.
|
|
Destination Address (dst_ip)
|
Original session destination IP address.
|
|
Destination port (dport)
|
Destination port utilized by the session.
|
|
IP Protocol (proto)
|
IP protocol associated with the session.
|
|
Application (app)
|
Application associated with the session.
|
|
Rule Name (rule)
|
Name of the rule that the session matched.
|
|
Action (action)
|
Action taken for the session; possible values are:
allow—session was allowed by policy deny—session was denied by policy reset both—session was terminated and a TCP reset is sent to
both the sides of the connection reset client—session was terminated and a TCP reset is sent
to the client reset server—session was terminated and a TCP reset is sent
to the server
|
|
Bytes Received (bytes_recv)
|
Number of bytes in the server-to-client direction of the session.
|
|
Bytes Sent (bytes_sent)
|
Number of bytes in the client-to-server direction of the session.
|
|
Packets Received (pkts_received)
|
Number of server-to-client packets for the session.
|
|
Packets Sent (pkts_sent)
|
Number of client-to-server packets for the session.
|
|
Start Time (start_time)
|
Time of session start and disk use.
|
|
Elapsed Time (elapsed_time)
|
Elapsed time of the session.
|
|
Repeat Count (repeat_count)
|
Number of sessions with the same Source IP, Destination IP,
Application, and Subtype seen within 5 seconds.
|
|
Category (category)
|
URL category associated with the session (if applicable).
|
|
Source Country (src country)
|
Source country or Internal region for private addresses; maximum
length is 32 bytes.
|
|
Destination Country (dst country)
|
Destination country or Internal region for private addresses. Maximum
length is 32 bytes.
|
|
Session End Reason (session_end_reason)
|
The reason is a session terminated. If the termination had multiple
causes, this field displays only the highest priority reason. The
possible session end reason values are as follows, in order of
priority (where the first is highest):
threat—The firewall detected a threat associated with a
reset, drop, or block (IP address) action. policy-deny—The session matched a security rule with a deny
or drop action. decrypt-cert-validation—The session terminated because you
configured the firewall to block when the session uses
client authentication or when the session uses a server
certificate with any of the following conditions: expired,
untrusted issuer, unknown status, or status verification
timeout. This session end reason also displays when the
server certificate produces a fatal error alert
of type bad_certificate, unsupported_certificate,
certificate_revoked, access_denied, or
no_certificate_RESERVED ( SSLv3 only). decrypt-unsupport-param—The session terminated because you
configured the firewall to block SSL Forward Proxy
decryption or SSL Inbound Inspection when the session uses
an unsupported protocol version, cipher, or SSH algorithm.
This session end reason is displayed when the session
produces a fatal error alert of type unsupported_extension,
unexpected_message, or handshake_failure. decrypt-error—The session terminated because you configured
the firewall to block SSL Forward Proxy decryption or SSL
Inbound Inspection when firewall resources were
unavailable. This session end reason is also displayed when
you configured the firewall to block SSL traffic that has
SSL errors or that produced any fatal error alert other than
those listed for the decrypt-cert-validation and
decrypt-unsupport-param end reasons. tcp-rst-from-client—The client sent a TCP reset to the
server. tcp-rst-from-server—The server sent a TCP reset to the
client. resources-unavailable—The session dropped because of a system
resource limitation. For example, the session could have
exceeded the number of out-of-order packets allowed per flow
or the global out-of-order packet queue. tcp-fin—Both hosts in the connection sent a TCP FIN message
to close the session. tcp-reuse—A session is reused and the firewall closes the
previous session. decoder—The decoder detects a new connection within the
protocol (such as HTTP-Proxy) and ends the previous
connection. aged-out—The session aged out. n/a—This value applies when the Traffic log type isn't
end.
|
|
XFF Address (xff_ip)
|
The IP address of the user who requested the webpage or the IP
address of the next to the last device that the request traversed.
If the request goes through one or more proxies, load balancers, or
other upstream devices, the firewall displays the IP address of the
most recent device.
|
