Focus
Focus
Table of Contents

Log Types

  • MonitorLogs
The firewall displays all logs so that role-based administration permissions are respected. Only the information that you are permitted to see is visible, which varies depending on the types of logs you are viewing. For information on administrator permissions, see Device > Admin Roles.
Log Type
Description
Traffic
Displays an entry for the start and end of each session. Each entry includes the date and time, source and destination zones, addresses and ports, application name, security rule name applied to the flow, rule action (allow, deny, or drop), ingress and egress interface, number of bytes, and session end reason.
The Type column indicates whether the entry is for the start or end of the session, or whether the session was denied or dropped. A “drop” indicates that the security rule that blocked the traffic specified “any” application, while a “deny” indicates the rule identified a specific application.
If traffic is dropped before the application is identified, such as when a rule drops all traffic for a specific service, the application is shown as “not-applicable”.
Drill down in traffic logs for more details on individual entries, artifacts, and actions:
  • Click Details (
    ) to view additional details about the session, such as whether an ICMP entry aggregates multiple sessions between the same source and destination (the Count value will be greater than one).
  • On a firewall with an active AutoFocus™ license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down (
    ) to open the AutoFocus Intelligence Summary for that artifact.
  • To add a device to the quarantine list (DeviceDevice Quarantine), open the Host ID drop-down for the device and Block Device (in the pop-up dialog).
Threat
Displays an entry for each security alarm generated by the firewall. Each entry includes the date and time, a threat name or URL, the source and destination zones, addresses, and ports, the application name, security rule name applied to the flow, and the alarm action (allow or block) and severity.
The Type column indicates the type of threat, such as “virus” or “spyware;” the Name column is the threat description or URL; and the Category column is the threat category (such as “keylogger”) or URL category.
Drill down in threat logs for more details on individual entries, artifacts, and actions:
  • Click Details (
    ) to view additional details about the threat, such as whether the entry aggregates multiple threats of the same type between the same source and destination (the Count value will be greater than one).
  • On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down (
    ) to open the AutoFocus Intelligence Summary for that artifact.
  • If local packet captures are enabled, click Download (
    ) to access captured packets. To enable local packet captures, refer to the subsections under ObjectsSecurity Profiles.
  • To view more details about a threat or to quickly configure threat exemptions directly from the threat logs, click the threat name in the Name column. The Exempt Profiles list shows all custom Antivirus, Anti-spyware, and Vulnerability protection profiles. To configure an exemption for a threat signature, select the check box to the left of the security profile name and save your change. To add exemptions for IP Addresses (up to 100 IP addresses per signature), highlight the security profile, add the IP address(es) in the Exempt IP Addresses section and click OK to save. To view or modify the exemption, go to the associated security profile and click the Exceptions tab. For example, if the threat type is vulnerability, select ObjectsSecurity ProfilesVulnerability Protection, click the associated profile then click the Exceptions tab.
  • To add a device to the quarantine list (DeviceDevice Quarantine), open the Host ID drop-down for the device and Block Device (in the pop-up dialog).
URL Filtering
Displays logs for URL filters, which control access to websites and whether users can submit credentials to websites.
Select Objects > Security Profiles > URL Filtering to define URL filtering settings, including which URL categories to block or allow and to which you want to grant or disable credential submissions. You can also enable logging of the HTTP header options for the URL.
On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down (
) to open the AutoFocus Intelligence Summary for that artifact.
WildFire Submissions
Displays logs for files and email links that the firewall forwarded for WildFire™ analysis. The WildFire cloud analyzes the sample and returns analysis results, which include the WildFire verdict assigned to the sample (benign, malware, grayware, or phishing). You can confirm if the firewall allowed or blocked a file based on Security policy rules by viewing the Action column.
On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash (in the File Digest column) contained in a log entry and click the drop-down (
) to open the AutoFocus Intelligence Summary for the artifact.
Data Filtering
Displays logs for the security policies with attached Data Filtering profiles, to help prevent sensitive information such as credit card or social security numbers from leaving the area protected by the firewall, and File Blocking profiles, that prevent certain file types from being uploaded or downloaded.
To configure password protection for access the details for a log entry, click
. Enter the password and click OK. Refer to Device > Response Pages for instructions on changing or deleting the data protection password.
The system prompts you to enter the password only once per session.
HIP Match
Displays all HIP matches that the GlobalProtect™ gateway identifies when comparing the raw HIP data reported by the agent to the defined HIP objects and HIP profiles. Unlike other logs, a HIP match is logged even when it does not match a security policy. For more information, refer to Network > GlobalProtect > Portals.
To add a device to the quarantine list (DeviceDevice Quarantine), open the Host ID drop-down for the device and Block Device (in the pop-up dialog).
GlobalProtect
Displays GlobalProtect connection logs. Use this information to identify your GlobalProtect users and their client OS version, troubleshoot connection and performance issues, and identify the portal and gateways to which users connect.
To add a device to the quarantine list (DeviceDevice Quarantine), open the Host ID drop-down for the device and Block Device (in the pop-up dialog).
IP-Tag
Displays information about how and when a tag was applied to a particular IP address. Use this information to determine when and why a particular IP address was placed in an address group and what policy rules impact that address. The log includes Receive Time (the date and time when the first and last packet of the session arrived), Virtual System, Source IP-Address, Tag, Event, Timeout, Source Name, and Source Type.
User-ID™
Displays information about IP address-to-username mappings, such as the source of the mapping information, when the User-ID agent performed the mapping, and the remaining time before mappings expire. You can use this information to help troubleshoot User-ID issues. For example, if the firewall is applying the wrong policy rule for a user, you can view the logs to verify whether that user is mapped to the correct IP address and whether the group associations are correct.
Decryption
Displays information about decryption sessions and undecrypted sessions for traffic that a No Decryption profile controls, including GlobalProtect sessions.
By default, the logs show information about unsuccessful SSL Decryption handshakes. You can enable logging for successful SSL Decryption handshakes in Decryption Policy rules Options. Logs display a wealth of information that enables you to identify weak protocols and cipher suites (key exchange, encryption, and authentication algorithms), bypassed decryption activity, decryption failures and their causes (e.g., incomplete certificate chain, client authentication, pinned certificates), session end reasons, and more. For example, use the information to determine whether you want to allow sites that use weak protocols and algorithms. It may be better to block weak sites that you don’t need to access for business purposes.
For traffic the firewall doesn’t decrypt and to which you apply a No Decryption profile, the log shows sessions blocked because of server certificate verification issues.
The default Decryption Log size is 32 MB. However, if you decrypt a lot of traffic or if you enable logging successful SSL Decryption handshakes, you will probably need to increase the log size (DeviceSetupManagementLogging and Reporting Settings and edit the Log Storage quotas). If you don’t have unallocated log space, consider tradeoffs between Decryption Log size and other log sizes. The more you log, the more resources the logs consume.
GTP
Displays event-based logs that include information on the wide range of GTP attributes. These include GTP event type, GTP event message type, APN, IMSI, IMEI, End User IP address, in addition to the TCP/IP information that the next-generation firewall identifies such as application, source and destination address and timestamp.
Tunnel Inspection
Displays an entry for the start and end of each inspected tunnel session. The log includes the Receive Time (date and time the first and last packet in the session arrived), Tunnel ID, Monitor Tag, Session ID, Security rule applied to the tunnel traffic, and more. See Policies > Tunnel Inspection for more information.
SCTP
Displays SCTP events and associations based on logs generated by the firewall while it performs stateful inspection, protocol validation, and filtering of SCTP traffic. SCTP logs include information on the wide range of SCTP and its payload protocol attributes, such as SCTP event type, chunk type, SCTP cause code, Diameter Application ID, Diameter Command Code, and chunks. This SCTP information is provided in addition to the general information that the firewall identifies, such as source and destination address, source and destination port, rule, and timestamp. See Objects > Security Profiles > SCTP Protection for more information.
Configuration
Displays an entry for each configuration change. Each entry includes the date and time, the administrator username, the IP address from where the change was made, the type of client (web interface or CLI), the type of command executed, whether the command succeeded or failed, the configuration path, and the values before and after the change.
System
Displays an entry for each system event. Each entry includes the date and time, the event severity, and an event description.
Alarms
The alarms log records detailed information on alarms that are generated by the system. The information in this log is also reported in Alarms. Refer to Define Alarm Settings.
Authentication
Displays information about authentication events that occur when end users try to access network resources for which access is controlled by Authentication policy rules. You can use this information to help troubleshoot access issues and to adjust your Authentication policy as needed. In conjunction with correlation objects, you can also use Authentication logs to identify suspicious activity on your network, such as brute force attacks.
Optionally, you can configure Authentication rules to Log Authentication Timeouts. These timeouts relate to the period of time when a user need authenticate for a resource only once but can access it repeatedly. Seeing information about the timeouts helps you decide if and how to adjust them.
System logs record authentication events relating to GlobalProtect and to administrator access to the web interface.
Unified
Displays the latest Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering log entries in a single view. The collective log view enables you to investigate and filter these different types of logs together (instead of searching each log set separately). Or, you can choose which log types to display: click the arrow to the left of the filter field and select traffic, threat, url, data, and/or wildfire to display only the selected log types.
On a firewall with an active AutoFocus license, hover next to an IP address, filename, URL, user agent, threat name, or hash contained in a log entry and click the drop-down (
) to open the AutoFocus Intelligence Summary for that artifact.
The firewall displays all logs so that role-based administration permissions are respected. When viewing Unified logs, only the logs that you have permission to see are displayed. For example, an administrator who does not have permission to view WildFire Submissions logs will not see WildFire Submissions log entries when viewing Unified logs. For information on administrator permissions, refer to Device > Admin Roles.
You can use the Unified log set with the AutoFocus threat intelligence portal. Set up an AutoFocus search to add AutoFocus search filters directly to the Unified log filter field.
To add a device to the quarantine list (DeviceDevice Quarantine), open the Host ID drop-down for the device and Block Device (in the pop-up dialog).