Skip to content

Firewall Logs

Firewall Logs provide visibility into network traffic flowing through a Virtual Datacenter (VDC). They surface perimeter and micro-segmentation next-generation firewall logs so administrators can investigate connectivity, security, and traffic patterns.

Introduction

Use Firewall Logs to review connections between resources, troubleshoot communication issues, identify potential security events, and validate whether security policies are working as expected.

Key Features

Feature Description
Comprehensive traffic visibility Diagnose traffic through perimeter north-south firewalls and micro-segmentation east-west firewalls.
Advanced filtering Filter traffic by direction, policy type, source, destination, service, action, time, and record count.
Detailed connection information View timestamp, source and destination IPs, service, firewall action, message, and sent or received data volume.
Security context Understand firewall actions and policy identification.
Internal service monitoring Track communication between internal services to understand dependencies and detect unexpected lateral movement.

Common Use Cases

  • Troubleshoot application connectivity between services.
  • Discover unauthorized services or unexpected external connections.
  • Identify high-bandwidth or unusual traffic patterns.
  • Verify that sensitive systems are isolated as intended.
  • Investigate denied connections and high-risk traffic.
  • Understand communication flows for segmentation and network architecture planning.

Accessing Traffic Logs

From a Virtual Machine

  1. Open Virtual Machines from the side navigation menu.
  2. Open the VM.
  3. To view logs for a specific firewall rule, click More Actions and then View Traffic Logs.
  4. Open the Firewall Logs tab.
  5. Fill in the query filters to display traffic.

From a Load Balancer

  1. Open Load Balancers from the side navigation menu.
  2. Open the load balancer.
  3. To view logs for a specific firewall rule, click More Actions and then View Traffic Logs.
  4. Open the Firewall Logs tab.
  5. Fill in the query filters to display traffic.

Understanding the Interface

Area Purpose
Filter Panel Right-side panel used to initiate and refine visible logs.
Log Table Main table showing individual traffic log entries.
Action Bar Tools for exporting logs, searching visible logs, and configuring table columns.

Filtering Traffic Logs

Filter Description
Direction Show incoming or outgoing traffic.
Type Filter by physical perimeter north-south firewalls or micro-segmentation east-west firewalls.
Source/Destination Filter by IP addresses, subnets, known entities, or leave empty depending on the selected direction.
Services Filter by predefined service, custom protocol and port pair, or all services by leaving it empty.
Firewall Action Show allowed traffic, denied traffic, or both by leaving it empty.
Time Show logs from the last 5 minutes, 30 minutes, hour, 12 hours, or 24 hours.
Records Limit the number of records shown.

Tip

Start with a reasonable time range, then add filters incrementally. Use the firewall type filter early to focus on external perimeter traffic or internal micro-segmentation traffic.

Understanding Log Data

Column Description
Timestamp When the log entry was created.
Source Origin IP address initiating the request.
Destination Target IP address receiving the request.
Port Destination port number.
Service Recognized service name.
Firewall Action Whether the firewall allowed or denied the traffic.
Message Connection status detail.
Sent/Received Data volume sent and received during the connection.
Message Meaning
Closed The connection was properly terminated by either the client or server.
Accepted The connection was established and traffic was allowed.
Client Reset The client sent a TCP reset packet.
Server Reset The server sent a TCP reset packet.
Destination Timeout The connection exceeded the allowed time limit and was terminated by the firewall.
Rejected The firewall blocked the connection attempt based on security policies.
Timeout Internal service communication exceeded the allowed time limit and was terminated.

Common Workflows

Investigating Denied Connections

  1. Set Firewall Action to Denied.
  2. Look for patterns in Source, Destination, or Service.
  3. Review the Message field for denial details.
  4. Check whether the denied connections are expected under your security policies.
  5. For micro-segmentation denials, verify whether communication should be allowed between the internal services.

Monitoring External Access

  1. Filter by incoming or outgoing direction.
  2. Set firewall type to physical perimeter north-south.
  3. Review source and destination entities for expected traffic patterns.
  4. Examine traffic volume and bandwidth for anomalies.

Analyzing Internal Service Communication

  1. Filter by incoming or outgoing direction.
  2. Set firewall type to micro-segmentation east-west.
  3. Filter for the specific services or applications under review.
  4. Review communication patterns between internal services.
  5. Look for unexpected connections that could indicate configuration issues, unauthorized lateral movement, or compliance violations.