1. Procedure – Single-line log message for connections

Purpose: 

Zorp can log a single message for every connection that includes every relevant detail about the connection. That way, it is easy to find a specific connection, and also to process the connection data with external log analyzing tools. To enable logging a single message for every connection that includes every relevant detail about the connection, complete the following steps. This log message contains the following information:

  • session ID: ID number of the TCP session.

  • rule ID: The ID number of the firewall rule.

  • session start time (UNIX timestamp): Date when the connection started (UNIX timestamp).

  • session end time: Date when the connection was closed (UNIX timestamp).

  • client proto: The transport protocol used in the client-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.

  • client IP: The IP address of the client.

  • client port: The port number of the client.

  • client zone: The zone the client belongs to.

  • server proto: The transport protocol used in the server-side connection. This is the protocol used in the transport layer (Layer 4) of the OSI model (for example, TCP, UDP, ICMP, and so on.

  • server IP: The IP address of the server connected by Zorp.

  • server port: The port number of the server connected by Zorp.

  • server zone: The zone the client belongs to.

  • client local IP address (after NAT): The IP address of Zorp used in the client-side connection.

  • client local port (after NAT): The port number of Zorp used in the client-side connection.

  • server local IP address (after NAT): The IP address of Zorp used in the server-side connection.

  • server local port (after NAT): The port number of Zorp used in the server-side connection.

  • verdict: Indicates what Zorp decided about the connection.

    • ACCEPTED: Zorp accepted the connection, and it was established without any problems.

    • DENIED_BY_CONNECTION_FAIL: Connection failed, that is, it was allowed to pass Zorp but timed out on the server.

    • DENIED_BY_LIMIT: Zorp rejected the connection because it exceeded the Thread limit parameter of the instance, or the Limit concurrency parameter of the service.

    • DENIED_BY_POLICY: Zorp did not find a matching firewall rule for the connection.

    • DENIED_BY_UNKNOWN_FAIL: The connection failed for some reason.

    • NO_SERVICE_FOUND: Zorp did not find a matching service for the parameters of the connection.

  • info: Additional information about the connection (if any).

core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229',
client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone',
server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone',
client_local='10.10.1.10', client_local_port='55268',
server_local='10.10.60.253', server_local_port='55258',
verdict='ACCEPTED',
info='Ending forwarded session'

core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229',
client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone',
server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone',
client_local='10.10.1.10', client_local_port='55268',
server_local='10.10.60.253', server_local_port='55258',
verdict='NO_SERVICE_FOUND',
info='No applicable service found for this client & server zone, dropping packet'

Steps: 

  1. Login to your Zorp host.

  2. Execute the following commands:

    echo 1 > /proc/sys/net/netfilter/kzorp/log_session_verdict
zorpctl log --logspec 'core:4'

  3. Repeat this procedure on your other Zorp firewall hosts.

    Expected result: 

    When a connection ends, Zorp logs a single-line log message about the connection, for example:

    core.summary(4): (svc/example_service_name:1234): Connection summary; rule_id='N/A' session_start='1406290229', session_end='1406290229',
client_proto='TCP', client_address='10.10.1.10', client_port='3394', client_zone='example-zone',
server_proto='TCP', server_address='10.10.1.10', server_port='3394', server_zone='example-zone',
client_local='10.10.1.10', client_local_port='55268',
server_local='10.10.60.253', server_local_port='55258',
verdict='REJECTED_BY_POLICY'
info=''
Previous Up Next
 Home