Firewall Events

By default, the Vulnerability ProtectionDeep Security Manager collects Firewall and Intrusion Prevention Event logs from the Vulnerability ProtectionDeep Security Agents/Appliances at every heartbeat. The data from the logs is used to populate the various reports, graphs, and charts in the Vulnerability ProtectionDeep Security Manager.

Once collected by the Vulnerability ProtectionDeep Security Manager, Event logs are kept for a period of time which can be set in Administration > System Settings > Storage. The default setting is one week.

Firewall Event icons:

Single Event
Single Event with data
Folded Event
Folded Event with data

Event folding occurs when multiple events of the same type occur in succession. This saves disk space and protects against DoS attacks that may attempt to overload the logging mechanism.

From the main page you can:

View () the properties of an individual event
Filter the list: Use the Period and Computer toolbars to filter the list of events
Export () the event list data to a CSV file
View existing Auto-Tagging () Rules.
Add or remove Columns () from the Events list view.
Search () for a particular event

Additionally, right-clicking an Event gives you the option to:

Add Tag(s): Add an Event Tag to this event (See Event Tagging.)
Remove Tag(s): Remove exiting event Tags
Computer Details: View the Details window of the computer that generated the log entry

Columns for the Firewall Events display:

Time: Time the event took place on the computer.
Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
Reason: Log entries on this page are generated either by Firewall Rules or by Firewall Stateful Configuration settings. If an entry is generated by a Firewall Rule, the column entry will be prefaced by "Firewall Rule:" followed by the name of the Firewall Rule. Otherwise the column entry will display the Firewall Stateful Configuration setting that generated the log entry. (For a listing of possible packet rejection reasons, see "Packet Rejection Reasons" in the Reference section.)
Tag(s): Event tags that are applied to this Event.
Action: The action taken by the Firewall Rule or Firewall Stateful Configuration. Possible actions are: Allow, Deny, Force Allow, and Log Only.
Rank: The Ranking system provides a way to quantify the importance of Intrusion Prevention and Firewall Events. By assigning "asset values" to computers, and assigning "severity values" to Intrusion Prevention Rules and Firewall Rules, the importance ("Rank") of an Event is calculated by multiplying the two values together. This allows you to sort Events by Rank when viewing Intrusion Prevention or Firewall Events.
Direction: The direction of the affected packet (incoming or outgoing).
Interface: The MAC address of the interface through which the packet was traveling.
Frame Type: The frame type of the packet in question. Possible values are "IPV4", "IPV6", "ARP", "REVARP", and "Other: XXXX" where XXXX represents the four digit hex code of the frame type.
Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
Flags: Flags set in the packet.
Source IP: The packet's source IP.
Source MAC: The packet's source MAC address.
Source Port: The packet's source port.
Destination IP: The packet's destination IP address.
Destination MAC: The packet's destination MAC address.
Destination Port: The packet's destination port.
Packet Size: The size of the packet in bytes.
Repeat Count: The number of times the event was sequentially repeated.
Time (microseconds): Microsecond resolution for the time the event took place on the computer.
Event Origin: The Vulnerability ProtectionDeep Security component from which the event originated.

Log-only rules will only generate a log entry if the packet in question is not subsequently stopped either by a deny rule, or an allow rule that excludes it. If the packet is stopped by one of those two rules, those rules will generate a log entry and not the log-only rule. If no subsequent rules stop the packet, the log-only rule will generate an entry.

View Event Properties

Double-clicking an event displays the Properties window for that entry which displays all the information about the event on one page. The Tags tab displays tags that have been attached to this Event. For More information on Event tagging, see Policies > Common Objects > Other > Tags, and Event Tagging in the Reference section.

Filter the List and/or Search for an Event

Selecting "Open Advanced Search" from the "Search" drop-down menu toggles the display of the advanced search options.

The Period toolbar lets you filter the list to display only those events that occurred within a specific timeframe.

The Computers toolbar lets you organize the display of event log entries by computer groups or computer Policies.

Advanced Search functions (searches are not case sensitive):

Contains: The entry in the selected column contains the search string
Does Not Contain: The entry in the selected column does not contain the search string
Equals: The entry in the selected column exactly matches the search string
Does Not Equal: The entry in the selected column does not exactly match the search string
In: The entry in the selected column exactly matches one of the comma-separated search string entries
Not In: The entry in the selected column does not exactly match any of the comma-separated search string entries

Pressing the "plus" button (+) to the right of the search bar will display an additional search bar so you can apply multiple parameters to your search. When you are ready, press the submit button (at the right of the toolbars with the right-arrow on it).

Export

Clicking the Export... button exports all or selected events to a CSV file.

Auto-Tagging

Clicking Auto-Tagging... displays a list of existing Firewall Auto-Tagging Rules.