Firewall Logs
Firewall Logs provide visibility into network traffic flowing through a Virtual Datacenter (VDC). They surface perimeter and micro-segmentation next-generation firewall logs so administrators can investigate connectivity, security, and traffic patterns.
Introduction
Use Firewall Logs to review connections between resources, troubleshoot communication issues, identify potential security events, and validate whether security policies are working as expected.
Key Features
| Feature | Description |
|---|---|
| Comprehensive traffic visibility | Diagnose traffic through perimeter north-south firewalls and micro-segmentation east-west firewalls. |
| Advanced filtering | Filter traffic by direction, policy type, source, destination, service, action, time, and record count. |
| Detailed connection information | View timestamp, source and destination IPs, service, firewall action, message, and sent or received data volume. |
| Security context | Understand firewall actions and policy identification. |
| Internal service monitoring | Track communication between internal services to understand dependencies and detect unexpected lateral movement. |
Common Use Cases
- Troubleshoot application connectivity between services.
- Discover unauthorized services or unexpected external connections.
- Identify high-bandwidth or unusual traffic patterns.
- Verify that sensitive systems are isolated as intended.
- Investigate denied connections and high-risk traffic.
- Understand communication flows for segmentation and network architecture planning.
Accessing Traffic Logs
From a Virtual Machine
- Open Virtual Machines from the side navigation menu.
- Open the VM.
- To view logs for a specific firewall rule, click More Actions and then View Traffic Logs.
- Open the Firewall Logs tab.
- Fill in the query filters to display traffic.
From a Load Balancer
- Open Load Balancers from the side navigation menu.
- Open the load balancer.
- To view logs for a specific firewall rule, click More Actions and then View Traffic Logs.
- Open the Firewall Logs tab.
- Fill in the query filters to display traffic.
Understanding the Interface
| Area | Purpose |
|---|---|
| Filter Panel | Right-side panel used to initiate and refine visible logs. |
| Log Table | Main table showing individual traffic log entries. |
| Action Bar | Tools for exporting logs, searching visible logs, and configuring table columns. |
Filtering Traffic Logs
| Filter | Description |
|---|---|
| Direction | Show incoming or outgoing traffic. |
| Type | Filter by physical perimeter north-south firewalls or micro-segmentation east-west firewalls. |
| Source/Destination | Filter by IP addresses, subnets, known entities, or leave empty depending on the selected direction. |
| Services | Filter by predefined service, custom protocol and port pair, or all services by leaving it empty. |
| Firewall Action | Show allowed traffic, denied traffic, or both by leaving it empty. |
| Time | Show logs from the last 5 minutes, 30 minutes, hour, 12 hours, or 24 hours. |
| Records | Limit the number of records shown. |
Tip
Start with a reasonable time range, then add filters incrementally. Use the firewall type filter early to focus on external perimeter traffic or internal micro-segmentation traffic.
Understanding Log Data
| Column | Description |
|---|---|
| Timestamp | When the log entry was created. |
| Source | Origin IP address initiating the request. |
| Destination | Target IP address receiving the request. |
| Port | Destination port number. |
| Service | Recognized service name. |
| Firewall Action | Whether the firewall allowed or denied the traffic. |
| Message | Connection status detail. |
| Sent/Received | Data volume sent and received during the connection. |
| Message | Meaning |
|---|---|
| Closed | The connection was properly terminated by either the client or server. |
| Accepted | The connection was established and traffic was allowed. |
| Client Reset | The client sent a TCP reset packet. |
| Server Reset | The server sent a TCP reset packet. |
| Destination Timeout | The connection exceeded the allowed time limit and was terminated by the firewall. |
| Rejected | The firewall blocked the connection attempt based on security policies. |
| Timeout | Internal service communication exceeded the allowed time limit and was terminated. |
Common Workflows
Investigating Denied Connections
- Set Firewall Action to Denied.
- Look for patterns in Source, Destination, or Service.
- Review the Message field for denial details.
- Check whether the denied connections are expected under your security policies.
- For micro-segmentation denials, verify whether communication should be allowed between the internal services.
Monitoring External Access
- Filter by incoming or outgoing direction.
- Set firewall type to physical perimeter north-south.
- Review source and destination entities for expected traffic patterns.
- Examine traffic volume and bandwidth for anomalies.
Analyzing Internal Service Communication
- Filter by incoming or outgoing direction.
- Set firewall type to micro-segmentation east-west.
- Filter for the specific services or applications under review.
- Review communication patterns between internal services.
- Look for unexpected connections that could indicate configuration issues, unauthorized lateral movement, or compliance violations.