Copyright © 1996-2024 BalaSys IT Ltd.
Copyright © 2024 BalaSys IT Ltd.. All rights reserved. This document is protected by copyright and is distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of BalaSys.
This documentation and the product it describes are considered protected by copyright according to the applicable laws.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/). This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)
Linux™ is a registered trademark of Linus Torvalds.
Windows™ 10 is registered trademarks of Microsoft Corporation.
The BalaSys™ name and the BalaSys™ logo are registered trademarks of BalaSys IT Ltd.
The PNS™ name and the PNS™ logo are registered trademarks of BalaSys IT Ltd.
AMD Ryzen™ and AMD EPYC™ are registered trademarks of Advanced Micro Devices, Inc.
Intel® Core™ and Intel® Xeon™ are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries.
All other product names mentioned herein are the trademarks of their respective owners.
DISCLAIMER
BalaSys is not responsible for any third-party websites mentioned in this document. BalaSys does not endorse and is not responsible or liable for any content, advertising, products, or other material on or available from such sites or resources. BalaSys will not be responsible or liable for any damage or loss caused or alleged to be caused by or in connection with use of or reliance on any such content, goods, or services that are available on or through any such sites or resources.
February 29, 2024
Abstract
This document describes the log messages of PNS
Table of Contents
List of Procedures
Welcome to the Proxedo Network Security Suite 2 Log Messages Guide!
This document describes the log messages of the various PNS components. The messages of each component can be found in their respective chapters. The format of log messages is the following:
Class: The component that sent the log message. For example, core
Verbosity: The verbosity level of the log message. If the log level of the component is lower than the verbosity level of the message, the message is not displayed. For example, 2
Session ID: An identifier that helps to find the log messages related to a particular connection. For example, vela/intra_HTTP:1/http
Summary: A short description of the event that happened. This part of the message is static and ends with a semicolon (;). Also, this part of the message is used as the title of the section describing the log message in the PNS 2 Log Messages Guide. For example, Error connecting to remote host;
Dynamic part: The variables or parameter values that apply for the particular event. For example, error='Connection refused'
core.error(2): (vela/intra_HTTP:1/http): Error connecting to remote host; error='Connection refused'
^ ^ ^ ^
| | | |
+class(verbosity level) | |
| | |
+session_id | |
+Summary |
+Dynamic part
To enable , see Procedure 1, Single-line log message for connections.
Purpose:
PNS can log a single message for every connection that includes every relevant detail about the connection. That way, it is easy to find a specific connection, and also to process the connection data with external log analyzing tools. To enable logging a single message for every connection that includes every relevant detail about the connection, complete the following steps. This log message contains the following information:
session ID: ID number of the TCP session.
rule ID: The ID number of the firewall rule.
session start time (UNIX timestamp): Date when the connection started (UNIX timestamp).
session end time: Date when the connection was closed (UNIX timestamp).
client proto: The transport protocol used in the client-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.
client IP: The IP address of the client.
client port: The port number of the client.
client zone: The zone the client belongs to.
server proto: The transport protocol used in the server-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.
server IP: The IP address of the server connected by PNS.
server port: The port number of the server connected by PNS.
server zone: The zone the client belongs to.
client local IP address (after NAT): The IP address of PNS used in the client-side connection.
client local port (after NAT): The port number of PNS used in the client-side connection.
server local IP address (after NAT): The IP address of PNS used in the server-side connection.
server local port (after NAT): The port number of PNS used in the server-side connection.
verdict: Indicates what PNS decided about the connection.
ACCEPTED: PNS accepted the connection, and it was established without any problems.
DENIED_BY_CONNECTION_FAIL: Connection failed, that is, it was allowed to pass PNS but timed out on the server.
DENIED_BY_LIMIT: PNS rejected the connection because it exceeded the parameter of the instance, or the parameter of the service.
DENIED_BY_POLICY: PNS did not find a matching firewall rule for the connection.
DENIED_BY_UNKNOWN_FAIL: The connection failed for some reason.
NO_SERVICE_FOUND: PNS did not find a matching service for the parameters of the connection.
info: Additional information about the connection (if any).
core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='ACCEPTED', info='Ending forwarded session' core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='NO_SERVICE_FOUND', info='No applicable service found for this client & server zone, dropping packet'
Steps:
Login to your PNS host.
Execute the following commands:
echo 1 > /proc/sys/net/netfilter/kvela/log_session_verdict velactl log --logspec 'core:4'
Repeat this procedure on your other PNS firewall hosts.
Expected result:
When a connection ends, PNS logs a single-line log message about the connection, for example:
core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='REJECTED_BY_POLICY' info=''
This message indicates that the sender address was administratively prohibited and the request is rejected. Check the 'sender_matcher' attribute.
This message reports that the sender address check was successful and the request is accepted.
This message indicates that the email address local-part contains a percent sign and it is not permitted by the policy and the request is rejected. Check the 'permit_percent_hack' attribute.
This message indicates that the email address local-part contains a exclamation mark and it is not permitted by the policy and the request is rejected. Check the 'permit_exclamation_mark' attribute.
This message indicates that relaying the given address is not permitted by the policy and the request is rejected. Check the 'relay_check' attribute.
This message reports that the relay check was successful and the request is accepted.
This message indicates that the given recipient address is administratively prohibited and request is rejected. Check the 'recipient_matcher' attribute.
This message reports that the recipient check was successful and the request is accepted.
This message reports that the zone of the client is being checked.
This message reports that the domain name of the email is being checked.
This message indicates that the initialization function of the given instance was not found in the policy file.
This message reports that the given instance is stopping.
This message reports that the given instance is freeing its external resources (for example its kernel-level policy objects).
This message indicates that the remote port is bellow 1024 and due to the violation the connection is closed.
This message indicates that the remote port is bellow 1024 and due to the violation the connection is closed.
This message indicates that the server's remote port is not control_port-1 or 20 and due to the violation the connection is closed.
This message indicates an internal error, please contact the Balasys QA team (devel@balasys.hu).
This message reports that the NAT type and the old address before the NAT mapping occurs.
This message reports that the NAT type and the new address after the NAT mapping occurred.
This message indicates that the service lookup has failed for this session.
This message indicates that no applicable service was found for this client zone in the services cache. It is likely that there is no applicable service configured in this ZoneDispatcher at all. Check your ZoneDispatcher service configuration. @see: Dispatcher.ZoneDispatcher
This message indicates that no applicable service was found for this client zone. Check your ZoneDispatcher service configuration. @see: Dispatcher.ZoneDispatcher
This message indicates that no applicable service was found for this client zone in the services cache. It is likely that there is no applicable service configured in this CSZoneDispatcher at all. Check your CSZoneDispatcher service configuration. @see: Dispatcher.CSZoneDispatcher
This message indicates that no applicable service was found for this client zone. Check your CSZoneDispatcher service configuration. @see: Dispatcher.CSZoneDispatcher
This message indicates that a service trying to enter to the given zone was denied by the policy. Check that the destination zone is included in the target zone list of the service.
This message indicates that the given hostname could not be resolved. It could happen if the hostname is invalid or nonexistent, or it if your resolve setting are not well configured. Check your "/etc/resolv.conf"
This message indicates that the cache size(threshold) is reached, and cache is shifted. @see: Cache.ShiftCache
This message reports that a matching regexp pattern was found for the given string.
This message indicates that the file containing the match regexps cannot be opened. It is likely that the file does not exists or it is not permitted to read. @see: Matcher.RegexpFileMatcher
This message indicates that the file containing the ignore regexps cannot be opened. It is likely that the file does not exists or it is not permitted to read. @see: Matcher.RegexpFileMatcher
This message reports that the recipient address has been already checked and the cached information is used.
This message reports that the recipient address has not been already checked and it is going to be checked now directly.
This message indicates that the sender address was rejected during the recipient address verify check and the recipient address is rejected.
This message reports that the recipient address verify was successful and it is accepted.
This message reports that the recipient address verify was unsuccessful and it is rejected.
This message indicates that an SMTP error occurred during the recipient address verify and it is rejected.
This message indicates that the request was blocked by the URIFilter.
This message reports that a REQUIRED type Basic ACL rule is evaluated with the given result.
This message reports that every Basic ACL rule were evaluated with the given final result.
This message indicates that an error occurred during child proxy stacking. The stacking failed and the subsession is destroyed.
This message reports that a new proxy is about to be stacked under the current proxy, as a child proxy.
This message reports that the user authentication was successful.
This message indicates that the connection to the server succeeded.
This message indicates that the connection to the server can not be established, because no server address is set.
This message reports that the remote end is down and the down state of the remote end is stored, so connection is wont be tried to it within the timeout latter.
This message reports that the remote end is down, but the down state is not stored of the remote end, so connection will be tried to it next time.
This message reports that the remote end is down and the down state is stored of the remote end, so connection wont be tried within the timeout latter.
This message indicates that side stacking failed, because a socketPair creation is failed. It is likely that there is now resource available. Try increase fd limits.
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED. BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
Definitions
"Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
"Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
"Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.
"Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
"Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
"Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
"You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
"Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
"Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.
Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.
License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,
to Distribute and Publicly Perform the Work including as incorporated in Collections.
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).
Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.
You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (for example a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
For the avoidance of doubt:
Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,
Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).
Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.
Representations, Warranties and Disclaimer UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Termination
This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
Miscellaneous
Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.
© BalaSys IT Ltd.
Send your comments to: support@balasys.hu