22.9  Filter Log

This log gathers information on web pages and objects blocked/allowed by the HTTP and FTP filters (see chapters 12.2  URL Rules and 12.6  FTP Policy) and on packets matching traffic rules with the Log matching packets option enabled (see chapter 7  Traffic Policy) or meeting other conditions (e.g. logging of UPnP traffic — see chapter 18.2  Universal Plug-and-Play (UPnP)).

Each log line includes the following information depending on the component which generated the log:

Example of a URL rule log message

[18/Apr/2008 13:39:45] ALLOW URL 'McAfee update' 192.168.64.142 james HTTP GET http://update.kerio.com/nai-antivirus/datfiles/4.x/dat-4258.zip

  • [18/Apr/2008 13:39:45] — date and time when the event was logged

  • ALLOW — action that was executed (ALLOW = access allowed, DENY = access denied)

  • URL — rule type (for URL or FTP)

  • 'McAfee update' — rule name

  • 192.168.64.142 — IP address of the client

  • jsmith — name of the user authenticated on the firewall (no name is listed unless at least one user is logged in from the particular host)

  • HTTP GET — HTTP method used in the request

  • http:// ... — requested URL

Packet log example

[16/Apr/2008 10:51:00] PERMIT 'Local traffic' packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 -> 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7

  • [16/Apr/2008 10:51:00] — date and time when the event was logged

  • PERMIT — action that was executed with the packet (PERMIT, DENY or DROP)

  • Local traffic — the name of the traffic rule that was matched by the packet

  • packet to — packet direction (either to or from a particular interface)

  • LAN — interface name (see chapter 5  Network interfaces for details)

  • proto: — transport protocol (TCP, UDP, etc.)

  • len: — packet size in bytes (including the headers) in bytes

  • ip/port: — source IP address, source port, destination IP address and destination port

  • flags: — TCP flags

  • seq: — sequence number of the packet (TCP only)

  • ack: — acknowledgement sequence number (TCP only)

  • win: — size of the receive window in bytes (it is used for data flow control — TCP only)

  • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)