Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 27 subscribers
  • Views 4636 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

FW log entries - 0-value for sent\rcvd pkts\bytes

cyberzeus

I log FW rule traffic to a dedicated syslog dump file and have noticed that several entries (both allow and deny) have a 0-value for the sent\rcvd packets and bytes fields.

This can't be normal can it?

I know others have discussed how screwed up the log reporting has been - is this yet another example of that?



This thread was automatically locked due to age.
  • 0

    Hi Cyberzeus,

    are you talking about this numbers?

    these are counted at plocy Hit and since last reboot and not HA Mirrored

    if you have a rule above which is more general, a more specific below will show no traffic (no hit). Or if you have a rule which is rarely used and you watch the traffic counter shortly after reboot / HA Failover it will show no traffic.

     

    Yours Lukas

  • 0 in reply to lna

    Hi Ina - actually no...the fields I am referring to are syslog entries.  Note the following 2 entries - the first has non-0 data in the sent\rcvd fields - the second entry has 0-values.  Both are ALLOW log entries:

     

    Dec 18 03:39:04 [ MASKED ] device="SFW" date=2017-12-18 time=03:39:04 timezone="PST" device_name="SFVH" device_id=[ MASKED ] A5 log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=41 fw_rule_id=3 policy_type=2 user_name="[ MASKED ]" user_gp="[ MASKED ]" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="Secure Socket Layer Protocol" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port1" out_interface="Port2" src_mac=[ MASKED ] src_ip=[ MASKED ] src_country_code=R1 dst_ip=[ MASKED ] dst_country_code=USA protocol="TCP" src_port=64476 dst_port=443 sent_pkts=17 recv_pkts=13 sent_bytes=3204 recv_bytes=6934 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="2234056000" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"

     

    Dec 18 04:29:41[ MASKED ] device="SFW" date=2017-12-18 time=04:29:41 timezone="PST" device_name="SFVH" device_id=[ MASKED ] log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=0 fw_rule_id=8 policy_type=2 user_name="[ MASKED ]" user_gp="[ MASKED ]" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port1" out_interface="Port2" src_mac=[ MASKED ] src_ip=[ MASKED ] src_country_code=R1 dst_ip=[ MASKED ] dst_country_code=USA protocol="UDP" src_port=52077 dst_port=53 sent_pkts=0  recv_pkts=0 sent_bytes=0 recv_bytes=0 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Start" connid="570885760" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"