Traffic Logs and Audit Logs

Traffic logs are produced whenever traffic hits a rule which has been enabled for logging.

Audit logs are produced and stored on the device each time a user makes a change to the configuration of a device.

Traffic Logs

Incoming or outgoing traffic through a device is filtered by rules that either allow or disallow (deny) the traffic. For every event that is allowed or denied by a rule enabled for logging, a traffic log is written on the designated log server.

AFA collects the logs from the log server, processes them, crunches matching records, writes the crunched records to the database tables. The traffic log information is used in AFA analysis and the Policy Optimization page of the report.

Traffic Logs and Policy Optimization

Depending on the Log Collection mode used (for example, standard, extensive, etc.), Policy Optimization analyzes the traffic log records for frequency of rule usage, exposing rules that are hardly used or never used.

The Policy Optimization rule recommendations displayed on the a device report'sPOLICY OPTIMIZATION page page use traffic logs to provide:

  • Suggestions for Rule Reordering

  • Rule usage statistics including -

    • Unused rules

    • Unused objects within rules

    • Least used rules

    • Most used rules

    • All rule usage (count, last date)

    • All NAT rule usage (count, last date)

    • Policy tuner analysis for all rules, including suggestions for tightening permissive rules

Troubleshooting Traffic Logs

Traffic logs are not present for the device

Do the following: 

  1. If there are no traffic logs for a particular device on the log server, check that there are rules on that device that are configured to send traffic logs.

  2. Log into the designated ASMS log server and using dump, make sure that the server is receiving traffic logs in general.

Identifying Traffic Logs

Sometimes additional identifiers are required in order to match between traffic logs and the device that generated them (as a result of load balancing or NAT, etc.). These identifiers must be added to the device configuration Log Collection and Monitoring section in Additional firewall identifiers field. When this field is updated in the device configuration, the device configuration on the log server will be updated.

Note: For devices with hierarchy, add these identifiers via the fwa.meta parameter of the device's meta file:

~/.fa/firewalls/<device name>/fwa.meta.

Back to top

Audit Logs

Having the latest information about each device enables optimal ASMS functionality. They hold the records of every change that was made on a device, providing:

  • What was the change

  • Who made the change

  • When was the change made

Each ASMS configured device continually stores its own configuration and change information including an audit log for every new change.

Audit logs, produced each time a user makes a change to the configuration of a device, are collected by ASMS during both the Log Collection Process and the Monitoring Process . They feed the Changed by fields of the Changes page of the Report and the Changes tab for the device.

Back to top

Troubleshooting Audit Logs

The following can be signs of audit log misconfiguration:

  • No information in the Changed by column of the Changes tab

  • Log Collection status is red, indicating Log Collection failure

Do the following: 

  • Check the Device Configuration to verify that the correct log server is configured and that this is the log server that Log Collection is querying.

  • See Algopedia articles that refer to audit log troubleshooting.

Back to top