WSM Reference Guide - WatchGuard Technologies

More documents

Recommendations

Info

Traffic Logs ttl="63" The packet “time to live”, in seconds. log_type="tr" The type of log message. All traffic logs use the “tr” log type. Traffic logs showing NAT A traffic log can also include fields that show how NAT (network address translation) was handled for this packet. An example log showing the ports the Firebox used to apply NAT to a packet is: Proxy Logs When the Firebox processes an event that is handled by a proxy, it writes more than one log message. The first entry shows the same information as a packet filter log, but includes two more fields: proxy_act The name of the proxy action handling this packet. A proxy action is a set of rules for a proxy that can be applied to more than one policy. rule_name The name of the specific proxy rule handling this packet. content_type The type of content in the packet that is filtered by the proxy rule. Other log messages that the Firebox writes when an event is handled by a proxy contain a variable number of fields. Here is an example of a group of log messages created by a user request handled by a proxy:
Traffic Logs dst_ip="66.35.250.151" pr="tcp/http" src_port="4345" dst_port="80" src_intf="1-Trusted" dst_intf="0-External" src_ip_nat="250.168.43.6" src_port_nat="13419" rc="523" msg="Conn End" proxy_act="HTTP-Client.2" log_type="tr"/> Each proxy has its own set of messages. The tables here show the log messages each proxy can write to the log file, and the secondary fields for each log message. SMTP Proxy Traffic Log Messages Text in Message Field Associated Fields SMTP GREETING hostname rule_name SMTP AUTH authtype rule_name SMTP HEADER header SMTP FROM ADDRESS address length response new_address header SMTP TO ADDRESS address new_address length response SMTP CONTENT TYPE content_type rule_name sender recipient SMTP Command keyword response SMTP FILENAME file_name rule_name sender recipients SMTP TIMEOUT timeout SMTP AV VIRUS virus filename content_type sender recipient SMTP AV TOO BIG filename type Message Meaning Value that appears in associated field(s) There is an invalid message in HELO state hostname sent in SMTP greeting name of rule matched in ruleset The AUTH type used matces a configured proxy rule AUTH type used name of rule matched in ruleset The SMTP header matches a configured proxy rule. header name The sender e-mail address matches a configured proxy rule the sender e-mail address (from envelope) length in bytes of address response code returned to client new address, if address rewrite used if header rewrite feature is used The recipient e-mail address matches a configured proxy rule recipient e-mail address (from envelope) new address, if address rewrite used length in bytes of address response code returned to client The content type matches a configured proxy rule the content type found by the SMTP proxy name of rule matched in ruleset sender e-mail address (from envelope) recipient e-mail addresses (from envelope) The full SMTP command as received from the SMTP client values include EXPN, HELP, NOOP, etc. response code returned to client The filename matches a configured proxy rule the file name name of rule matched in ruleset sender e-mail address (from envelope) recipient e-mail addresses (from envelope) The connection idle timeout was reached number of seconds configured to time-out The SMTP proxy found a virus the name of the virus found the filename the content type of the virus found sender e-mail address (from envelope) recipient e-mail addresses (from envelope) An attachment was too big to scan the filename the content type of the attachment <strong>Reference</strong> <strong>Guide</strong> 31
Page 1 and 2: WatchGuard ® System Manager Refere
Page 3 and 4: Contents CHAPTER 1 Internet Protoco
Page 5 and 6: CHAPTER 1 Internet Protocol Referen
Page 7 and 8: Internet Protocol Header Keyword Nu
Page 9 and 10: Transfer Protocols Source Routing T
Page 11 and 12: CHAPTER 2 MIME Content Types Softwa
Page 13 and 14: Type Subtype Reference (where avail
Page 23 and 24: CHAPTER 3 Services and Ports Well-k
Page 25 and 26: Well-Known Services List Port(s) Pr
Page 27 and 28: Well-Known Services List Service Na
Page 29 and 30: Well-Known Services List Service Na
Page 31 and 32: CHAPTER 4 Log Messages Understandin
Page 33: Traffic Logs FWAllow Each packet fi
Page 37 and 38: Traffic Logs DNS Proxy Traffic Log
Page 39 and 40: Traffic Logs HTTP Proxy Traffic Log
Page 41 and 42: Alarm Logs Policy Alarms Default Na
Page 43 and 44: Alarm Logs Denial of Servce (DoS) A
Page 45 and 46: Event Logs Gateway AntiVirus Servic
Page 47 and 48: Event Logs Description of Log Modul
Page 49 and 50: Event Logs Event Log Message Catalo
Page 59 and 60: Firebox Log File XML DTD and Schema
Page 61 and 62: Firebox® X Edge Log Messages Modul
Page 73 and 74: CHAPTER 5 Using the Firebox LCD Use
Page 75 and 76: Firebox Boot Countdown Firebox Boot
Page 77 and 78: Using the LCD Interface in Firebox
Page 79 and 80: CHAPTER 6 WebBlocker Content WatchG
Page 81 and 82: WebBlocker Categories Category Drug
Page 83 and 84: WebBlocker Categories Category Job
Page 85 and 86:
CHAPTER 7 Resources There are many
Page 87 and 88:
Mailing Lists Mailing Lists wg-user
Page 89 and 90:
White Hat Web Sites beginners. Cons
Page 91 and 92:
Other Web Sites maintains a list of
Page 93 and 94:
RSS Feeds www.sophos.com/virusinfo/
Page 95 and 96:
Index B blocked sites, searching fo
show all

WSM Reference Guide - WatchGuard Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?