Cloud NGFW for AWS Traffic Log Fields

Field Name
Description
Source Address (src_ip)
Original session source IP address.
Source Port (sport)
Source port utilized by the session.
Destination Address (dst)
Original session destination IP address.
Destination Port (dport)
Destination port utilized by the session.
IP Protocol (proto)
IP protocol associated with the session.
Application (app)
Application associated with the session.
Rule Name (rule)
Name of the rule that the session matched.
Action (action)
Action taken for the session; possible values are:
  • allow—session was allowed by policy
  • deny—session was denied by policy
  • reset both—session was terminated and a TCP reset is sent to both the sides of the connection
  • reset client—session was terminated and a TCP reset is sent to the client
  • reset server—session was terminated and a TCP reset is sent to the server
Bytes Received (bytes_received)
Number of bytes in the server-to-client direction of the session.
Bytes Sent (bytes_sent)
Number of bytes in the client-to-server direction of the session.
Packets Received (pkts_received)
Number of server-to-client packets for the session.
Packets Sent (pkts_sent)
Number of client-to-server packets for the session.
Start Time (start)
Time of session start.
Elapsed Time (elapsed)
Elapsed time of the session.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
Category (category)
URL category associated with the session (if applicable).
Source Country (srcloc)
Source country or Internal region for private addresses; maximum length is 32 bytes.
Destination Country (dstloc)
Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Session End Reason (session_end_reason)
The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
  • threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action.
  • policy-deny—The session matched a security rule with a deny or drop action.
  • decrypt-cert-validation—The session terminated because you configured the firewall to block when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (
    SSLv3 only
    ).
  • decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
  • decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSL errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons.
  • tcp-rst-from-client—The client sent a TCP reset to the server.
  • tcp-rst-from-server—The server sent a TCP reset to the client.
  • resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
  • tcp-fin—Both hosts in the connection sent a TCP FIN message to close the session.
  • tcp-reuse—A session is reused and the firewall closes the previous session.
  • decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
  • aged-out—The session aged out.
  • n/a—This value applies when the traffic log type is not
    end
    .
XFF Address (xff)
The IP address of the user who requested the web page or the IP address of the next to last device that the request traversed. If the request goes through one or more proxies, load balancers, or other upstream devices, the firewall displays the IP address of the most recent device.

Recommended For You