Details for Network Firewall Logs
Logging details for Network Firewall logs. Two types of customer logs are available: threat and traffic Logs.
Resources
- NGFW
Log Categories
| API value (ID): | Console (Display Name) | Description |
|---|---|---|
| threat-log | Threat Log | Provides details on received firewall threats. |
| traffic-log | Traffic Log | Provides details on traffic passing through the firewall. |
Availability
Network Firewall logging is available in all the regions of the commercial realms.
Comments
Both Threat Logs and Traffic Logs are available. Logs are emitted to customers based on a five minute interval from the dataplane. The dataplane also registers logs as they're received.
Contents of a Network Firewall Threat Log
| Property | Description |
|---|---|
| datetime | Timestamp when the log was received. |
| action |
Action taken for the session. Values are, allow, deny, drop.
|
| device_name | The hostname of the firewall on which the session was logged. |
| direction |
Indicates the direction of the attack, whether client-to-server or server-to-client:
|
| dst | Original session destination IP address. |
| dstloc | Destination country or internal region for private addresses. Maximum length is 32 bytes. |
| dstuser | User name of the user to which the session was destined. |
| firewall-id | OCID of the firewall. |
| proto | IP protocol associated with the session. |
| receive_time | Time the log was received at the management plane. |
| rule | Name of the rule that the session matched. |
| sessionid | An internal numerical identifier applied to each session. |
| severity | Severity associated with the threat. Values are informational, low, medium, high, and critical. |
| src | Original session source IP address. |
| srcloc | Source country or internal region for private addresses. Maximum length is 32 bytes. |
| srcuser | User name of the user who started the session. |
| subtype |
Subtype of threat log. Values include the following:
|
| thr_category | Describes threat categories used to classify different types of threat signatures. |
| threatid |
Palo Alto Networks identifier for the threat. A description string followed by a 64-bit numerical identifier in parentheses for some subtypes:
|
| id | UUID of the log message. |
| compartmentid | OCID of the compartment. |
| ingestedtime | Timestamp when log was received by the Logging service. |
| loggroupid | OCID of the log group. |
| logid | OCID of the log object. |
| tenantid | OCID of the tenant. |
| source | OCID of the firewall. |
| specversion | The version of the CloudEvents specification which the event uses. Enables the interpretation of the context. |
| time | Timestamp when log was written. |
| type | Type of the logs. |
| regionId | OCID of the firewall region. |
Contents of a Network Firewall Traffic Log
| Property | Description |
|---|---|
| datetime | Timestamp when log was received. |
| action |
Action taken for the session. Possible values are:
|
| bytes | Number of total bytes (transmit and receive) for the session. |
| bytes_received | Number of bytes in the server-to-client direction of the session. |
| bytes_sent | Number of bytes in the client-to-server direction of the session. |
| chunks | Sum of SCTP chunks sent and received for an association. |
| chunks_received | Number of SCTP chunks sent for an association. |
| chunks_sent | Number of SCTP chunks received for an association. |
| config_ver | Configuration version. |
| device_name | The hostname of the firewall on which the session was logged. |
| dport | Destination port used by the session. |
| dst | Original session destination IP address. |
| dstloc | Destination country or internal region for private addresses. Maximum length is 32 bytes. |
| firewall-id | OCID of the firewall. |
| packets | Number of total packets (transmit and receive) for the session. |
| pkts_received | Number of server-to-client packets for the session. |
| pkts_sent | Number of client-to-server packets for the session. |
| proto | IP protocol associated with the session. |
| receive_time | Time the log was received at the management plane. |
| rule | Name of the rule that the session matched. |
| rule_uuid | The UUID that permanently identifies the rule. |
| serial | Serial number of the firewall that generated the log. |
| sessionid | An internal numerical identifier applied to each session. |
| sport | Source port used by the session. |
| src | Original session source IP address. |
| srcloc | Source country or internal region for private addresses. Maximum length is 32 bytes. |
| time_received | Time the log was received at the management plane. |
| id | UUID of the log message. |
| compartmentid | OCID of the compartment. |
| ingestedtime | Timestamp when log was received by the Logging service. |
| loggroupid | OCID of the log group. |
| logid | OCID of the log object. |
| tenantid | OCID of the tenant. |
| source | OCID of the firewall. |
| specversion | The version of the CloudEvents specification which the event uses. Enables the interpretation of the context. |
| time | Timestamp when the log was written. |
| type | Type of the logs. |
| regionId | OCID of the firewall region. |
Example Network Firewall Threat Log
{
"datetime": 1684255949000,
"logContent": {
"data": {
"action": "reset-both",
"device_name": "<device_name>",
"direction": "server-to-client",
"dst": "192.0.1.168",
"dstloc": "192.0.0.10-192.0.0.11",
"dstuser": "no-value",
"firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"proto": "tcp",
"receive_time": "2023/05/16 16:52:29",
"rule": "<rule_name>",
"sessionid": "11804",
"severity": "medium",
"src": "192.0.2.168",
"srcloc": "192.0.0.1-192.0.0.2",
"srcuser": "no-value",
"subtype": "vulnerability",
"thr_category": "code-execution",
"threatid": "Eicar File Detected"
},
"id": "<unique_ID>",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..<unique_ID>",
"ingestedtime": "2023-05-16T16:56:27.373Z",
"loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
"logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
"tenantid": "ocid1.tenancy.oc1..<unique_ID>"
},
"source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"specversion": "1.0",
"time": "2023-05-16T16:52:29.000Z",
"type": "com.oraclecloud.networkfirewall.threat"
},
"regionId": "me-jeddah-1"
}Example Network Firewall Traffic Log
{
"datetime": 1684257454000,
"logContent": {
"data": {
"action": "allow",
"bytes": "6264",
"bytes_received": "4411",
"bytes_sent": "1853",
"chunks": "0",
"chunks_received": "0",
"chunks_sent": "0",
"config_ver": "2561",
"device_name": "<device_name>",
"dport": "<port_number>",
"dst": "192.0.1.168",
"dstloc": "192.0.0.1-192.0.0.2",
"firewall-id": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"packets": "28",
"pkts_received": "12",
"pkts_sent": "16",
"proto": "tcp",
"receive_time": "2023/05/16 17:17:34",
"rule": "<rule_name>",
"rule_uuid": "<rule_unique_ID>",
"serial": "<serial_number>",
"sessionid": "<session_ID>",
"sport": "<port_number>",
"src": "192.0.2.168",
"srcloc": "192.0.0.10-192.0.0.11",
"time_received": "2023/05/16 17:17:34"
},
"id": "<unique_ID>",
"oracle": {
"compartmentid": "ocid1.compartment.oc1..<unique_ID>",
"ingestedtime": "2023-05-16T17:17:58.493Z",
"loggroupid": "ocid1.loggroup.oc1.me-jeddah-1.<unique_ID>",
"logid": "ocid1.log.oc1.me-jeddah-1.<unique_ID>",
"tenantid": "ocid1.tenancy.oc1..<unique_ID>"
},
"source": "ocid1.networkfirewall.oc1.me-jeddah-1.<unique_ID>",
"specversion": "1.0",
"time": "2023-05-16T17:17:34.000Z",
"type": "com.oraclecloud.networkfirewall.traffic"
},
"regionId": "me-jeddah-1"
}