This log gathers information on web pages and objects blocked/allowed by the HTTP and FTP filters (see chapters 12.2 URL Rules and 12.5 FTP Policy) and on packets matching traffic rules with the Log matching packets option enabled (see chapter 7 Traffic Policy) or meeting other conditions (e.g. logging of UPnP traffic — see chapter 18.2 Universal Plug-and-Play (UPnP)).
Each log line includes the following information depending on the component which generated the log:
when an HTTP or FTP rule is applied: rule name, user, IP address of the host which sent the request, object's URL
when a traffic rule is applied: detailed information about the packet that matches the rule (rule name, source and destination address, ports, size, etc.)
[18/Apr/2008 13:39:45] ALLOW URL 'McAfee update' 192.168.64.142 james HTTP GET http://update.kerio.com/nai-antivirus/datfiles/4.x/dat-4258.zip
[18/Apr/2008 13:39:45]
— date and time when the event was logged
ALLOW
— action that was executed (ALLOW
= access allowed, DENY
= access denied)
URL
— rule type (for URL or FTP)
'McAfee update'
— rule name
192.168.64.142
— IP address of the client
jsmith
— name of the user authenticated on the firewall (no name is listed unless at least one user is logged in from the particular host)
HTTP GET
— HTTP method used in the request
http:// ...
— requested URL
[16/Apr/2008 10:51:00] PERMIT 'Local traffic' packet to LAN, proto:TCP, len:47, ip/port:195.39.55.4:41272 -> 192.168.1.11:3663, flags: ACK PSH, seq:1099972190 ack:3795090926, win:64036, tcplen:7
[16/Apr/2008 10:51:00]
— date and time when the event was logged
PERMIT
— action that was executed with the packet (PERMIT
, DENY
or DROP
)
Local traffic
— the name of the traffic rule that was matched by the packet
packet to
— packet direction (either to
or from
a particular interface)
LAN
— interface name (see chapter 5 Network interfaces for details)
proto:
— transport protocol (TCP, UDP, etc.)
len:
— packet size in bytes (including the headers) in bytes
ip/port:
— source IP address, source port, destination IP address and destination port
flags:
— TCP flags
seq:
— sequence number of the packet (TCP only)
ack:
— acknowledgement sequence number (TCP only)
win:
— size of the receive window in bytes (it is used for data flow control — TCP only)
tcplen:
— TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)