In both the LogViewer and syslog entries, some source MAC address are recorded incorrectly. It appears there is a MAC parsing issue with the "0" character where it is sometimes omitted from the log entry. In all of the errant log entries I have seen, the missing character is always a "0". Also, it does not always occur - many log entries that have several "0s" in the MAC have some that print and others in the same MAC address that are omitted.
Reiterating - characters "1-F" always record properly in any postion for any MAC - it is only the "0" that is omitted and then, only in some positions. The only constants are (1) that the missing character is always a "0"; and (2) the missing "0s" do not jump around nor sporadically re-appear. When they are missing in a given MAC in some positions, they will always be missing from that MAC in those positions. When the "0s" are present in a given MAC in certain positions, they are always present for that MAC in those positions.
I have attached examples from both the LogViewer and syslog below.
Missing single "0"
- This first set has a single missing "0". The correct MAC address for both of these entries is 406c.8fbb.e20e.
Dec 19 13:42:37 [ MASKED ] device="SFW" date=2017-12-19 time=13:42:37 timezone="PST" device_name="SFVH" device_id=[ MASKED ] log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=31 fw_rule_id=8 policy_type=2 user_name="[ MASKED ]" user_gp="[ MASKED ]" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="DNS" application_risk=1 application_technology="Network Protocol" application_category="Infrastructure" in_interface="Port1" out_interface="Port2" src_mac=40:6C:8F:BB:E2: E src_ip=[ MASKED ] src_country_code=R1 dst_ip=8.8.8.8 dst_country_code=USA protocol="UDP" src_port=51987 dst_port=53 sent_pkts=1 recv_pkts=1 sent_bytes=65 recv_bytes=160 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="652031680" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
Missing multiple "0s"
- This next set illustrate multiple missing "0s" - note that some print and others are omitted. The correct MAC address for both of these entries is bada.ce00.0702:
Dec 19 14:53:18 [ MASKED ] device="SFW" date=2017-12-19 time=14:53:18 timezone="PST" device_name="SFVH" device_id=[ MASKED ] log_id=010101600001 log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" priority=Information duration=184 fw_rule_id=3 policy_type=2 user_name="[ MASKED ]" user_gp="[ MASKED ]" iap=0 ips_policy_id=0 appfilter_policy_id=0 application="HTTP" application_risk=1 application_technology="Browser Based" application_category="General Internet" in_interface="Port1" out_interface="Port2" src_mac=BA:DA:CE: 0:07: 2 src_ip=[ MASKED ] src_country_code=R1 dst_ip=184.72.32.75 dst_country_code=USA protocol="TCP" src_port=50913 dst_port=80 sent_pkts=6 recv_pkts=4 sent_bytes=422 recv_bytes=252 tran_src_ip= tran_src_port=0 tran_dst_ip= tran_dst_port=0 srczonetype="LAN" srczone="LAN" dstzonetype="WAN" dstzone="WAN" dir_disp="" connevent="Stop" connid="573552736" vconnid="" hb_health="No Heartbeat" message="" appresolvedby="Signature"
This thread was automatically locked due to age.
