1. Procedure – Single-line log message for connections
Purpose:
PNS can log a single message for every connection, which includes all the relevant details. This makes locating a specific connection unchallenging and simplifies processing of the connection data with external log analysing tools. To enable logging a single message for each connection and include every relevant detail, complete the following steps. This log message contains the following information:
session ID: ID number of the TCP session.
rule ID: The ID number of the firewall rule.
session start time: Date when the connection started (UNIX timestamp).
session end time: Date when the connection was closed (UNIX timestamp).
client proto: The transport protocol used in the client-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.
client IP: The IP address of the client.
client port: The port number of the client.
client zone: The zone the client belongs to.
server proto: The transport protocol used in the server-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.
server IP: The IP address of the server connected by PNS.
server port: The port number of the server connected by PNS.
server zone: The zone the client belongs to.
client local IP address (after NAT): The IP address of PNS used in the client-side connection.
client local port (after NAT): The port number of PNS used in the client-side connection.
server local IP address (after NAT): The IP address of PNS used in the server-side connection.
server local port (after NAT): The port number of PNS used in the server-side connection.
verdict: Indicates what PNS decided about the connection.
ACCEPTED: PNS accepted the connection, and it was established without any problems.DENIED_BY_CONNECTION_FAIL: Connection failed, that is, it was allowed to pass PNS but timed out on the server.DENIED_BY_LIMIT: PNS rejected the connection because it exceeded the parameter of the instance, or the parameter of the service.DENIED_BY_POLICY: PNS did not find a matching firewall rule for the connection.DENIED_BY_UNKNOWN_FAIL: The connection failed for some reason.NO_SERVICE_FOUND: PNS did not find a matching service for the parameters of the connection.
info: Additional information about the connection (if any).
core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='ACCEPTED', info='Ending forwarded session' core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='NO_SERVICE_FOUND', info='No applicable service found for this client & server zone, dropping packet'
Steps:
Login to your PNS host.
Execute the following commands:
velactl log --logspec 'core:4'
Repeat this procedure on your other PNS firewall hosts.
Expected result:
When a connection ends, PNS logs a single-line log message about the connection, for example:
core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229', client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone', server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone', client_local='10.10.1.10', client_local_port='55268', server_local='10.10.60.253', server_local_port='55258', verdict='REJECTED_BY_POLICY' info=''
© 2021 BalaSys IT Security.
Send your comments to support@balasys.hu
