Log Types
Table of Contents
Log Types
The firewall displays all logs so that role-based administration
permissions are respected. Only the information that you are permitted
to see is visible, which varies depending on the types of logs you
are viewing. For information on administrator permissions, see Device
> Admin Roles.
Log Type | Description |
|---|---|
Traffic | Displays an entry for the start and end
of each session. Each entry includes the date and time, source and
destination zones, addresses and ports, application name, security
rule name applied to the flow, rule action (allow, deny,
or drop), ingress and egress interface, number
of bytes, and session end reason. The Type column indicates
whether the entry is for the start or end of the session, or whether
the session was denied or dropped. A “drop” indicates that the security
rule that blocked the traffic specified “any” application, while
a “deny” indicates the rule identified a specific application. If
traffic is dropped before the application is identified, such as
when a rule drops all traffic for a specific service, the application
is shown as “not-applicable”. Drill down in traffic logs for
more details on individual entries, artifacts, and actions:
|
Threat | Displays an entry for each security alarm
generated by the firewall. Each entry includes the date and time,
a threat name or URL, the source and destination zones, addresses, and
ports, the application name, security rule name applied to the flow,
and the alarm action (allow or block)
and severity. The Type column indicates the type of threat,
such as “virus” or “spyware;” the Name column is the threat description
or URL; and the Category column is the threat category (such as
“keylogger”) or URL category. Drill down in threat logs for
more details on individual entries, artifacts, and actions:
|
URL Filtering | Displays logs for URL filters, which control
access to websites and whether users can submit credentials to websites. Select Objects
> Security Profiles > URL Filtering to define URL filtering
settings, including which URL categories to block or allow and to
which you want to grant or disable credential submissions. You can
also enable logging of the HTTP header options for the URL. On
a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash contained
in a log entry and click the drop-down ( 
|
WildFire Submissions | Displays logs for files and email links
that the firewall forwarded for WildFire™ analysis. The WildFire
cloud analyzes the sample and returns analysis results, which include
the WildFire verdict assigned to the sample (benign, malware, grayware,
or phishing). You can confirm if the firewall allowed or blocked
a file based on Security policy rules by viewing the Action column. On
a firewall with an active AutoFocus license, hover next to an IP
address, filename, URL, user agent, threat name, or hash (in the
File Digest column) contained in a log entry and click the drop-down
(
|
Data Filtering | Displays logs for the security policies
with attached Data Filtering profiles, to help prevent sensitive
information such as credit card or social security numbers from
leaving the area protected by the firewall, and File Blocking profiles,
that prevent certain file types from being uploaded or downloaded. To
configure password protection for access the details for a log entry,
click 
The system prompts you
to enter the password only once per session. |
HIP Match | Displays all HIP matches that the GlobalProtect™ gateway
identifies when comparing the raw HIP data reported by the agent
to the defined HIP objects and HIP profiles. Unlike other logs,
a HIP match is logged even when it does not match a security policy.
For more information, refer to Network
> GlobalProtect > Portals. To add a device to the quarantine
list (),
open the Host ID drop-down for the device and Block
Device (in the pop-up dialog). |
GlobalProtect | Displays GlobalProtect connection logs.
Use this information to identify your GlobalProtect users and their
client OS version, troubleshoot connection and performance issues, and
identify the portal and gateways to which users connect. To
add a device to the quarantine list (), open the Host
ID drop-down for the device and Block Device (in
the pop-up dialog). |
IP-Tag | Displays information about how and when a tag was applied to a particular IP address. Use this information to determine when and why a particular IP address was placed in an address group and what policy rules impact that address. The log includes Receive Time (the date and time when the first and last packet of the session arrived), Virtual System, Source IP-Address, Tag, Event, Timeout, Source Name, and Source Type. |
User-ID™ | Displays information about IP address-to-username mappings,
such as the source of the mapping information, when the User-ID
agent performed the mapping, and the remaining time before mappings
expire. You can use this information to help troubleshoot User-ID
issues. For example, if the firewall is applying the wrong policy
rule for a user, you can view the logs to verify whether that user
is mapped to the correct IP address and whether the group associations
are correct. |
Decryption | Displays information about decryption sessions
and undecrypted sessions for traffic that a No Decryption profile controls,
including GlobalProtect sessions. By default, the logs show
information about unsuccessful SSL Decryption handshakes. You can
enable logging for successful SSL Decryption handshakes in Decryption
Policy rules Options. Logs display a wealth
of information that enables you to identify weak protocols and cipher
suites (key exchange, encryption, and authentication algorithms),
bypassed decryption activity, decryption failures and their causes
(e.g., incomplete certificate chain, client authentication, pinned
certificates), session end reasons, and more. For example, use the information
to determine whether you want to allow sites that use weak protocols
and algorithms. It may be better to block weak sites that you don’t
need to access for business purposes. For traffic the firewall
doesn’t decrypt and to which you apply a No Decryption profile,
the log shows sessions blocked because of server certificate verification
issues. The default Decryption Log size is 32 MB. However,
if you decrypt a lot of traffic or if you enable logging successful SSL
Decryption handshakes, you will probably need to increase the log
size ( and edit the Log Storage quotas).
If you don’t have unallocated log space, consider tradeoffs between Decryption
Log size and other log sizes. The more you log, the more resources
the logs consume. |
GTP | Displays event-based logs that include information
on the wide range of GTP attributes. These include GTP event type,
GTP event message type, APN, IMSI, IMEI, End User IP address, in
addition to the TCP/IP information that the next-generation firewall
identifies such as application, source and destination address and
timestamp. |
Tunnel Inspection | Displays an entry for the start and end
of each inspected tunnel session. The log includes the Receive Time
(date and time the first and last packet in the session arrived),
Tunnel ID, Monitor Tag, Session ID, Security rule applied to the
tunnel traffic, and more. See Policies
> Tunnel Inspection for more information. |
SCTP | Displays SCTP events and associations based on
logs generated by the firewall while it performs stateful inspection,
protocol validation, and filtering of SCTP traffic. SCTP logs include
information on the wide range of SCTP and its payload protocol attributes,
such as SCTP event type, chunk type, SCTP cause code, Diameter Application
ID, Diameter Command Code, and chunks. This SCTP information is
provided in addition to the general information that the firewall
identifies, such as source and destination address, source and destination
port, rule, and timestamp. See Objects
> Security Profiles > SCTP Protection for more information. |
Configuration | Displays an entry for each configuration
change. Each entry includes the date and time, the administrator
username, the IP address from where the change was made, the type
of client (web interface or CLI), the type of command executed, whether
the command succeeded or failed, the configuration path, and the
values before and after the change. |
System | Displays an entry for each system event.
Each entry includes the date and time, the event severity, and an
event description. |
Alarms | The alarms log records detailed information
on alarms that are generated by the system. The information in this
log is also reported in Alarms. Refer to Define
Alarm Settings. |
Authentication | Displays information about authentication
events that occur when end users try to access network resources
for which access is controlled by Authentication policy rules. You can
use this information to help troubleshoot access issues and to adjust
your Authentication policy as needed. In conjunction with correlation
objects, you can also use Authentication logs to identify suspicious
activity on your network, such as brute force attacks. Optionally,
you can configure Authentication rules to Log
Authentication Timeouts. These timeouts relate to the period
of time when a user need authenticate for a resource only once but
can access it repeatedly. Seeing information about the timeouts
helps you decide if and how to adjust them. System logs
record authentication events relating to GlobalProtect and to administrator
access to the web interface. |
Unified | Displays the latest Traffic, Threat, URL
Filtering, WildFire Submissions, and Data Filtering log entries
in a single view. The collective log view enables you to investigate
and filter these different types of logs together (instead of searching each
log set separately). Or, you can choose which log types to display:
click the arrow to the left of the filter field and select traffic, threat, url, data,
and/or wildfire to display only the selected log
types. On a firewall with an active AutoFocus license, hover next
to an IP address, filename, URL, user agent, threat name, or hash
contained in a log entry and click the drop-down (
The firewall
displays all logs so that role-based administration permissions
are respected. When viewing Unified logs, only the logs that you
have permission to see are displayed. For example, an administrator
who does not have permission to view WildFire Submissions logs will
not see WildFire Submissions log entries when viewing Unified logs. For
information on administrator permissions, refer to Device
> Admin Roles. You can use the Unified
log set with the AutoFocus threat intelligence portal. Set up an AutoFocus search to
add AutoFocus search filters directly to the Unified log filter
field. To add a device to the quarantine list (),
open the Host ID drop-down for the device and Block
Device (in the pop-up dialog). |
