Log Types
The firewall displays all logs so that role-based administration
permissions are respected. Only the information that you are permitted
to see is visible, which varies depending on the types of logs you
are viewing. For information on administrator permissions, see Device
> Admin Roles.
Log Type | Description |
|---|---|
Traffic | Displays an entry for the start and end
of each session. Each entry includes the date and time, source and
destination zones, addresses and ports, application name, security
rule name applied to the flow, rule action ( allow , deny ,
or drop ), ingress and egress interface, number
of bytes, and session end reason.The Type column indicates
whether the entry is for the start or end of the session, or whether
the session was denied or dropped. A “drop” indicates that the security
rule that blocked the traffic specified “any” application, while a
“deny” indicates the rule identified a specific application. If
traffic is dropped before the application is identified, such as
when a rule drops all traffic for a specific service, the application
is shown as “not-applicable”. Drill down in traffic logs for
more details on individual entries and artifacts:
|
Threat | Displays an entry for each security alarm
generated by the firewall. Each entry includes the date and time,
a threat name or URL, the source and destination zones, addresses,
and ports, the application name, security rule name applied to the
flow, and the alarm action ( allow or block )
and severity.The Type column indicates the type of threat,
such as “virus” or “spyware;” the Name column is the threat description
or URL; and the Category column is the threat category (such as
“keylogger”) or URL category. Drill down in threat logs for
more details on individual entries and artifacts:
|
URL Filtering | Displays logs for URL filters, which control
access to websites and whether users can submit credentials to websites. Select Objects
> Security Profiles > URL Filtering to define URL filtering
settings, including which URL categories to block or allow and to
which you want to grant or disable credential submissions. You can also
enable logging of the HTTP header options for the URL. On
a firewall with an active AutoFocus license, hover next to an IP address,
filename, URL, user agent, threat name, or hash contained in a log entry
and click the drop-down (
) to
open the AutoFocus
Intelligence Summary for that artifact. |
WildFire Submissions | Displays logs for files and email links
that the firewall forwarded for WildFire™ analysis. The WildFire
cloud analyzes the sample and returns analysis results, which include
the WildFire verdict assigned to the sample (benign, malware, grayware,
or phishing). You can confirm if the firewall allowed or blocked
a file based on Security policy rules by viewing the Action column. On
a firewall with an active AutoFocus license, hover next to an IP address,
filename, URL, user agent, threat name, or hash (in the File Digest column)
contained in a log entry and click the drop-down (
) to open
the AutoFocus
Intelligence Summary for the artifact. |
Data Filtering | Displays logs for the security policies
with attached Data Filtering profiles, to help prevent sensitive
information such as credit card or social security numbers from
leaving the area protected by the firewall, and File Blocking profiles,
that prevent certain file types from being uploaded or downloaded. To
configure password protection for access the details for a log entry, click
. Enter
the password and click OK . Refer to Device
> Response Pages for instructions on changing or deleting
the data protection password.The system prompts you
to enter the password only once per session. |
HIP Match | Displays all HIP matches that the GlobalProtect™
gateway identifies when comparing the raw HIP data reported by the
agent to the defined HIP objects and HIP profiles. Unlike other
logs, a HIP match is logged even when it does not match a security
policy. For more information, refer to Network
> GlobalProtect > Portals. |
IP-Tag | Displays information about how and when a tag
was applied to a particular IP address. Use this information to
determine when and why a particular IP address was placed in an
address group and what policy rules impact that address. The log
includes Receive Time (the date and time when the first and last
packet of the session arrived), Virtual System, Source IP-Address,
Tag, Event, Timeout, Source Name, and Source Type. |
User-ID™ | Displays information about IP address-to-username
mappings, such as the source of the mapping information, when the
User-ID agent performed the mapping, and the remaining time before
mappings expire. You can use this information to help troubleshoot
User-ID issues. For example, if the firewall is applying the wrong
policy rule for a user, you can view the logs to verify whether
that user is mapped to the correct IP address and whether the group
associations are correct. |
GTP | Displays event-based logs that include information
on the wide range of GTP attributes. These include GTP event type,
GTP event message type, APN, IMSI, IMEI, End User IP address, in
addition to the TCP/IP information that the next-generation firewall
identifies such as application, source and destination address and
timestamp. |
Tunnel Inspection | Displays an entry for the start and end
of each inspected tunnel session. The log includes the Receive Time
(date and time the first and last packet in the session arrived),
Tunnel ID, Monitor Tag, Session ID, Security rule applied to the
tunnel traffic, and more. See Policies
> Tunnel Inspection for more information. |
SCTP | Displays SCTP events and associations based on
logs generated by the firewall while it performs stateful inspection,
protocol validation, and filtering of SCTP traffic. SCTP logs include
information on the wide range of SCTP and its payload protocol attributes,
such as SCTP event type, chunk type, SCTP cause code, Diameter Application
ID, Diameter Command Code, and chunks. This SCTP information is
provided in addition to the general information that the firewall
identifies, such as source and destination address, source and destination
port, rule, and timestamp. See Objects
> Security Profiles > SCTP Protection for more information. |
Configuration | Displays an entry for each configuration
change. Each entry includes the date and time, the administrator
user name, the IP address from where the change was made, the type
of client (web interface or CLI), the type of command executed,
whether the command succeeded or failed, the configuration path,
and the values before and after the change. |
System | Displays an entry for each system event.
Each entry includes the date and time, the event severity, and an
event description. |
Alarms | The alarms log records detailed information
on alarms that are generated by the system. The information in this
log is also reported in Alarms. Refer to Define
Alarm Settings. |
Authentication | Displays information about authentication
events that occur when end users try to access network resources
for which access is controlled by Authentication policy rules. You
can use this information to help troubleshoot access issues and
to adjust your Authentication policy as needed. In conjunction with
correlation objects, you can also use Authentication logs to identify
suspicious activity on your network, such as brute force attacks. Optionally,
you can configure Authentication rules to Log
Authentication Timeouts. These timeouts relate to the period
of time when a user need authenticate for a resource only once but
can access it repeatedly. Seeing information about the timeouts
helps you decide if and how to adjust them. System logs
record authentication events relating to GlobalProtect and to administrator
access to the web interface. |
Unified | Displays the latest Traffic, Threat, URL
Filtering, WildFire Submissions, and Data Filtering log entries
in a single view. The collective log view enables you to investigate
and filter these different types of logs together (instead of searching
each log set separately). Or, you can choose which log types to display:
click the arrow to the left of the filter field and select traffic , threat , url , data ,
and/or wildfire to display only the selected
log types.On a firewall with an active AutoFocus license,
hover next to an IP address, filename, URL, user agent, threat name,
or hash contained in a log entry and click the drop-down (
) to open the AutoFocus
Intelligence Summary for that artifact.The firewall
displays all logs so that role-based administration permissions
are respected. When viewing Unified logs, only the logs that you have
permission to see are displayed. For example, an administrator who does
not have permission to view WildFire Submissions logs will not see WildFire
Submissions log entries when viewing Unified logs. For information on
administrator permissions, refer to Device
> Admin Roles. You can use the Unified
log set with the AutoFocus threat intelligence portal. Set up an AutoFocus search to
add AutoFocus search filters directly to the Unified log filter
field. |
) to
view additional details about the session, such as whether an ICMP
entry aggregates multiple sessions between the same source and destination
(the 
) to access captured
packets. To enable local packet captures, refer to the subsections
under 