Threat Logs
Threat logs display entries when traffic matches one
of the Security
Profiles attached to a security rule on the firewall. Each
entry includes the following information: date and time; type of
threat (such as virus or spyware); threat description or URL (Name
column); source and destination zones, addresses, and ports; application
name; alarm action (such as allow or block); and severity level.
To see more details on individual Threat log entries:
- Click
beside a threat entry to view
details such as whether the entry aggregates multiple threats of
the same type between the same source and destination (in which
case the Count column value is greater than one). - If you configured the firewall to Take Packet Captures, click
beside an entry to access the
captured packets.
The following table summarizes the Threat severity levels:
Severity | Description |
|---|---|
Critical | Serious threats, such as those that affect
default installations of widely deployed software, result in root
compromise of servers, and the exploit code is widely available
to attackers. The attacker usually does not need any special authentication
credentials or knowledge about the individual victims and the target
does not need to be manipulated into performing any special functions. |
High | Threats that have the ability to become
critical but have mitigating factors; for example, they may be difficult
to exploit, do not result in elevated privileges, or do not have
a large victim pool. WildFire Submissions log entries with a malicious
verdict and an action set to allow are logged as High. |
Medium | Minor threats in which impact is minimized,
such as DoS attacks that do not compromise the target or exploits
that require an attacker to reside on the same LAN as the victim,
affect only non-standard configurations or obscure applications,
or provide very limited access. WildFire Submissions log entries with
a grayware verdict are logged as Medium. |
Low | Warning-level threats that have very little
impact on an organization's infrastructure. They usually require
local or physical system access and may often result in victim privacy
or DoS issues and information leakage. Data Filtering profile matches
are logged as Low. WildFire Submissions log entries with a grayware
verdict and an action set to allow are logged as Low. |
Informational | Suspicious events that do not pose an immediate
threat, but that are reported to call attention to deeper problems
that could possibly exist. URL Filtering log entries are logged
as Informational. WildFire Submissions log entries with a benign
verdict and an action set to allow are logged as Informational. Additionally,
log entries with any verdict and an action set to block are also logged
as Informational. |