Querying Logs
CFW allows you to query logs generated within the last seven days. The following types of logs are available:
- Attack event logs: The events detected by attack defense functions, such as IPS, are recorded.
- Access control logs: All traffic that matches the access control policy are recorded.
- Traffic logs: All traffic passing through the firewall is recorded.
One or multiple types of logs can be recorded in LTS. You can view log data in the past 1 to 365 days. For details, see Log Management.
Constraints
- Logs can be stored for up to seven days.
- For each type of logs, up to 1,000 records can be viewed, and up to 100,000 records can be exported.
- Traffic logs are collected based on sessions. Data about a connection is not reported until connection is terminated.
Checking Logs
Perform the following operations to view logs.
Attack Event Logs
- Log in to the management console.
- Click
in the upper left corner of the management console and select a region or project. - In the navigation pane on the left, click
and choose . The Dashboard page will be displayed. - (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose . On the Attack Event Logs tab, check the details about attack events in the past week.
Figure 1 Attack event logs
Table 1 Attack event log parameters Parameter
Description
Time
Time when an attack occurred.
Attack Type
Type of the attack event, including IMAP, DNS, FTP, HTTP, POP3, TCP, and UDP.
Risk Level
It can be Critical, High, Medium, or Low.
Rule name/Rule ID
Name and ID of the matched rule in the library.
Source IP Address
Source IP address of an attack event.
If the source IP address is a WAF back-to-source IP address, Source IP Address displays the WAF back-to-source IP address and the real IP address. The first IP address corresponding to X-Forwarded-For is displayed in RealIP, that is, the real IP address of the client.
Source Country/Region
Geographical location of the attack source IP address.
Source Port
Source port of an attack.
Destination IP Address
Attacked IP address.
Destination Country/Region
Geographical location of the attack target IP address.
Destination Port
Destination port of an attack.
Protocol
Protocol type of an attack.
Application
Application type of an attack.
Direction
It can be outbound or inbound.
Action
Action of the firewall. It can be Allow, Block, Block IP, or Discard.
Operation
You can click View to view the basic information and attack payload of an event.
Access Control Logs
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose . On the log query page, click the Access Control Logs tab to view details about access control traffic in the past week.
For details about how to modify the action taken on an IP address, see Configuring Protection Rules to Block or Allow Internet Border Traffic or Adding Blacklist or Whitelist Items to Block or Allow Traffic.
Figure 2 Access control logs
Table 2 Access control log parameters Parameter
Description
Hit Time
Time of an access.
Source IP Address
Source IP address of the access.
Source Country/Region
Geographical location of the source IP address.
Source Port
Source port for access control. It can be a single port or consecutive port groups (example: 80-443).
Destination IP Address
Destination IP address.
Destination Host
Destination domain name
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port for access control. It can be a single port or consecutive port groups (example: 80-443).
Protocol
Protocol type for access control.
Application
Application type of the access traffic.
Action
Action taken on an event. It can be Observe, Block, or Allow.
Rule
Type of an access control rule. It can be a blacklist or whitelist.
Traffic Logs
- Log in to the management console.
- Click in the upper left corner of the management console and select a region or project.
- In the navigation pane on the left, click and choose . The Dashboard page will be displayed.
- (Optional) Switch to another firewall instance. Select a firewall from the drop-down list in the upper left corner of the page.
- In the navigation pane, choose . Click the Traffic Log tab to view the number of traffic bytes and packets in the past week.
Figure 3 Traffic logs
Table 3 Traffic log parameters Parameter
Description
Start Time
Time when traffic protection started.
End Time
Time when traffic protection ended.
Source IP Address
Source IP address of the traffic
Source Country/Region
Geographical location of the source IP address.
Source Port
Source port of the traffic.
Destination IP Address
Destination IP address.
Destination Host
Destination domain name
Destination Country/Region
Geographical location of the destination IP address.
Destination Port
Destination port of the traffic.
Protocol
Protocol type of the traffic.
Application
Application type of the access traffic.
Stream Size
Total number of bytes of protected traffic.
Stream Packets
Total number of protected packets.
References
- Exporting logs: Click
in the upper right corner of the log list to export the logs in the list. - CFW provides the network packet capture function. You can capture traffic by IP address, port number, or protocol type to quickly locate network faults and identify security risks. For details, see Network Packet Capture.
Follow-up Operations
- If improper blocking is recorded in access control logs, your normal workloads may have been blocked by IPS. In this case, check the policy configuration. For details about how to modify protection rules, see Managing Protection Rules. For details about how to modify the blacklist and whitelist, see Editing the Blacklist or Whitelist.
- If improper blocking is recorded in attack event logs, your normal workloads may be blocked by IPS.
- If the traffic from an IP address is improperly blocked, add it to the whitelist.
- If the traffic from multiple IP addresses is blocked, check logs to see whether it is blocked by a single rule or multiple rules.
- Blocked by a single rule: Modify the protection action of the rule. For details, see Modifying the Action of a Basic Protection Rule.
- Blocked by multiple rules: Modify the protection mode. For details, see Adjusting the IPS Protection Mode to Block Network Attacks.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
