Firewall Log Search and Search Reports


    Firewall Analyzer provides advanced search feature. This feature offers numerous options to make your searches more precise and to get more useful results. It allows you to search from the raw firewall logs stored in the indexes, archives and processed firewall logs stored in the database.

    In this feature you have the provision to save the search results as Report Profiles. This provides a simplified means to create very precise, selectively filtered and narrowed down report profiles. You don't have to waste time with repeated seraches for the same criteria.

    Search

    You can search the logs for the selected devices with defined matching criteria, from the logs database and raw logs.

    1. Aggregated Search
    2. Raw Search
    3. Raw Settings - Configure raw log indexing.

    Select this option if you want to search from the logs database.

    Selected Devices

    In this section, you can choose the devices for which you want the logs to be searched. There are 2 lists,

    1. Available devices list
    2. Selected devices list

    By default all the devices are selected and avilable in the Selected Devices list. If you want to change the list of selected devices, select the required devices in the Available devices list and move it to the Selected devices list and vice versa. The selected devices are displayed in this section.

    Define Criteria

    This section, enables you to search the database for attributes using more than one following criteria's: 

    Criteria Description
    Protocol Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings > Protocol Groups) Example: 8554/tcp, rtsp, IPSec
    Source Refers to the source host name or IP address from which requests originated
    Destination Refers to the destination host name or IP address to which requests were sent
    User Refers to the authenticated user name required by some firewall's. Example: john, kate
    Virus Refers to the Virus name. Examples: JS/Exception, W32/Mitglieder
    Attack Refers to the attack name. Examples: UDP Snort, Ip spoof
    URL Refers to the URL to be searched
    Rule Refers to the Rule used
    Category Refers to the category type
    Application Refers to the application type
    Src Country Refers to the source country
    Dst Country Refers to the destination country

     Click Generate button. On clicking Generate button you will see the search results.

    Note:
    • By default, the search is carried out for the time period selected in the Calendar.
    • You can also search within the search results

     If the search string exists then the search result will be intelligently displayed based on the report category in which it occurred. The report categories are:

    • Spam Detail
    • Virus Details
    • Analysis of Attack
    • URL Details
    • VPN Usage Report
    • Analysis of Protocol
    • Application Detail
    • Conversation Details
    • Rules Triggered analysis

    Choose Columns, Save buttons on right top of the screen.

    The result of the search is displayed as table with its own columns. You can select the columns for display as per your choice.

    Clicking Save button will open Add Search screen to save the search result as report profile.

    Add Search

    • Enter a Profile Name.
    • Select the required reports by selecting the individual reports. These will form the criteria for the Report Profile.
    • Schedule the report, if required by selecting Schedule > Enable radio button.
    • Choose the format of report to be Emailed using Report Type: PDF or CSV radio buttons.
    • In the Mail To option, enter the mail ID(s) of users to whom the reports should be emailed. The scheduled report will be generated and emailed as PDF to the mail ID(s) that is provided. You can use comma "," separator for multiple mail IDs.
    • Enter the subjrct line of the mail in Subject field. You can also add the attributes, Report Name, Devices, Generated Time, Criteria to the subject line given below the field with check boxes.
    • In the Specify Time option, schedule this report to be automatically generated at specific time intervals. Choose from Hourly, Daily, Weekly, or Monthly schedules, or choose to run this report Once.
      • For Hourly schedules, you can set Generate report on _ Hours _ Minutes and Generate report for Previous Hour/Last 60 Minutes.
      • For Daily schedules, you can set Execute at _ Hours _ Minutes and Generate report for Previous Day/Last 24 Hours, and you can set the Time Filter for Custom Hours, Only Working Hours, or Only NonWorking Hours.You can select Run on Week Days option and the reports are run daily except on the weekends.
      • For Weekly schedules, you can set Generate report on Sunday/Monday/Tuesday/Wednesday/Thursday/Friday/Saturday _ Hours _ Minutes and Generate report for Previous Week/Last 7 days and select the option Generate Report only for Week Days if you want to report on the events that occurred only on the week days and not report on events that occurred over the weekends.
      • For the Monthly schedules, you can set Generate report on 1/2/3/4/5/6/7/8/9/10/11/12  _ Hours _ Minutes and Generate report for Previous Month/Last 30 days and select the option Generate Report only for Week Days if you want to report on the events that occurred only on the week days and not report on events that occurred over the weekends.
    Warning: You need to configure the mail server settings in Firewall Analyzer before setting up an email notification.
    •  Click Save button. A new report profile is added.

    Select this option if you want to search from the logs indexes and archive.

    If you have selected the Raw Firewall Logs option in the Search Type and index Security Logs only option in the Raw Search settings, the following options will be enabled: Raw VPN Logs, Raw Virus/Attack Logs, Raw Device Management Logs, and Raw Denied Logs

    If you have selected the Raw Firewall Logs option in the Search Type and the index Traffic & Security logs option in the Raw Search settings, the following options will be enabled: Raw VPN Logs, Raw Virus/Attack Logs, Raw Device Management Logs, and Raw Denied Logs and additionally Traffic logs option.

    Choose the required logs to be searched.

    In the Search Type, you can also select  Raw Proxy Logs and Unknown protocol from the dropdown list.

    Selected Devices

    In this section, you can choose the devices for which you want the logs to be searched. There are 2 lists,

    1. Available devices list
    2. Selected devices list

    By default all the devices are selected and available in the Selected Devices list. If you want to change the list of selected devices, select the required devices in the Available devices list and move it to the Selected devices list and vice versa. The selected devices are displayed in this section.

    Define Criteria

    If you have selected the Raw Firewall Logs option in the Search Type, this section enables you to search the logs for attributes using more than one of the following criteria: 

    Criteria Description
    Protocol Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings >> Protocol Groups). Example: 8554/tcp, rtsp, IPSec
    Source Refers to the source host name or IP address from which requests originated.
    Destination Refers to the destination host name or IP address to which requests were sent
    User Refers to the authenticated user name required by some firewall's. Example: john, kate
    Virus Refers to the Virus name. Examples: JS/Exception, W32/Mitglieder
    Attack Refers to the attack name. Examples: UDP Snort, Ip spoof
    URL Refers to the URL to be searched
    Rule Refers to the Rule used
    Category Refers to the category type
    Application Refers to the application type
    Src Country Refers to the source country
    Dst Country Refers to the destination country

     

    If you have selected the Raw Proxy Logs option in the Search Type, this section enables you to search the logs for attributes using more than one of the following criteria: 

     

    Criteria Description
    Protocol Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings >> Protocol Groups). Example: 8554/tcp, rtsp, IPSec
    Source Refers to the source host name or IP address from which requests originated
    Destination Refers to the destination host name or IP address to which requests were sent
    User Refers to the authenticated user name required by some firewall's. Example: john, kate
    Category Refers to the category type
    URL Refers to the URL to be searched
    Virus Refers to the Virus name. Examples: JS/Exception, W32/Mitglieder
    Status The status of the traffic whether it is permit or deny.
    Bytes The number of bytes the traffic has used.
    Duration The time duration of the traffic.

     

    If you have selected the Unknown Protocol option in the Search Type, this section enables you to search the logs for attributes using more than one of the following criteria: 

    Criteria Description
    Status The status of the traffic whether it is permit or deny.
    Protocol Refers to the list of protocols and protocol identifiers that are available in the Protocol Groups page (Settings >> Protocol Groups). Example: 8554/tcp, rtsp, IPSec
    Source Refers to the source host name or IP address from which requests originated
    Destination Refers to the destination host name or IP address to which requests were sent
    User Refers to the authenticated user name required by some firewall's. Example: john, kate
    VPN Refers to the Virus name. Examples: JS/Exception, W32/Mitglieder

     

    Click Generate button. On clicking Generate button you will see the search results.

    Note:
    • By default, the search is carried out for the time period selected in the Calendar.
    • You can also search within the search results

    If the search string exists then the search result will be displayed in two tabs, Formatted Logs and Raw Logs.  In the Formatted Logs tab, the search result is fetched from the log indexes and displayed.

    In the Formatted Logs tab, the search results are displayed in a table format with the following column:

    • Device
    • Host
    • Source Port
    • User
    • Protocol
    • Destination
    • Destination Port
    • Date/Time
    • Virus/Attack
    • VPN
    • Severity
    • Rule Number/ID
    • Status
    • URL
    • Category
    • Duration
    • Description
    • VPN Group
    • Port based
    • Sent
    • Received

    In the Raw Logs tab, the search result is fetched from the log archives and displayed as raw logs.

    Choose Columns, Save buttons on right top of the screen.

    Choose Column will list all the columns of the result table. You can select the columns for display as per your choice.

    Note: When you save the search results as report, the number of columns to choose is restricted to 11 for better reporting.

    Save will open Add Search screen to save the search result as report profile.

    • Enter a Profile Name.
    • Select the required columns of the formatted logs report of the search result.
    • Schedule the report, if required by selecting Schedule > Enable radio button. Follow the procedure to schdule the report.
    •  Click Save button. A new report profile is added.

    Using Search to create Report Profile

     To generate remote VPN users reports:

    • Click Search sub tab and select Raw Search
    • Select appropriate firewall devices
    • Select Raw Firewall Logs from the drop down list.
    • Select Raw VPN Logs in the Raw Firewall Logs group.
    • In the Criteria section, select Match all of the following or Match any of the following to match all the criteria set or any of the criteria set and add or remove additional criteria using Add Criteria and Remove Criteria links and select User is 'your network VPN user'.
    • Click Generate. Search results provide the Reports related to your search <for time period from begining of the day to current time>.
    • To save the search result as report profile, click Save link.
    • Enter a Profile Name.
    • Select the required reports by selecting the individual reports. These will form the criteria for the Report Profile.
    • Schedule the report, if required by selecting Schedule > Enable radio button. Follow the procedure to schdule the report.
    • Click Save button. A new report profile is added.

     

    Indexing Raw Logs for Search

    To enable indexing of raw logs follow the steps given below:

    In Search screen, select the Raw Setting link. Raw Data Indexing page appears.

    • Raw Data Indexing: Move Enable or Disable slider button to enable or disable indexing of raw logs.
    • If you want to index security logs only, select Index Security Logs only radio button. If you select the Raw Firewall Logs option in the Search Type and index Security Logs only option here, the following options will be enabled: Raw VPN Logs, Raw Virus/Attack Logs, Raw Device Management Logs, and Raw Denied Logs
    • If you want ot index both traffic and security logs, select Index Traffic & Security Logs radio button. If you select the Raw Firewall Logs option in the Search Type and the index Traffic & Security logs option here, the following options will be enabled: Raw VPN Logs, Raw Virus/Attack Logs, Raw Device Management Logs, and Raw Denied Logs and additionally Traffic logs option.
    • Click Save to save raw log index settings.

     You will require additional hardware for index log storage space, refer hardware requirements in the System Requirements page.