Define logging options for Access rules

Access rules can create a log or alert entry each time they match.

By default, logging options set in a previous Access rule with Continue as its action are used. If no such rule exists, Firewalls, Virtual Firewalls, Layer 2 Firewalls, and Virtual Layer 2 Firewalls log the connections by default. IPS engines and Virtual IPS engines do not log the connections by default. Each individual rule can be set to override the default values.

Note: Log pruning might override the logging options by deleting any number of generated log entries when they are received at the Log Server.

Logging for the closing of the connection can be turned on or off, or on with accounting information. You must collect accounting information if you want to create reports that are based on traffic volumes.

When the Log Server is unavailable, log entries are temporarily stored on the engine. When the engine is running out of space to store the log entries, it begins discarding log data in the order of importance. Monitoring data is discarded first, followed by log entries marked as Transient and Stored, and finally log entries marked as Essential. The Alert entries are the last log entries to be discarded. The settings for storing the logs temporarily on the engine are defined in the engine's log spooling policy.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Double-click the Logging cell.
  2. Set the options.
  3. Click OK.

Logging - Select Rule Options dialog box

Use this dialog box to define Access rule logging options.

Option Definition
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
Log Level Select one of these options:
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Connection Closing Select one of these options:
  • No log — No log entries are created when connections are closed.
  • Normal log — Both connection opening and closing are logged, but no information is collected on the volume of traffic.
  • Log Accounting Information — Both connection opening and closing are logged and information on the volume of traffic is collected. The Connection Closing option is not available for rules that issue Alerts.

    If you want to create reports that are based on traffic volume, you must select this option for all rules that allow traffic that you want to include in the reports.

    If you want to forward log data in the NetFlow or IPFIX format from the Log Server to a third-party device, you must select this option in the rule that creates the log data.

Compress Logs When enabled, creates a single log entry that contains information about the total number of the generated log entries when the limits defined in the Max Log Rate or Max Burst Size are reached. After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately.
  • Don't Compress — Log compression is disabled.
  • Compress only Access Logs — Only logs generated by Access rules are compressed.
  • Compress also Inspection Logs — Logs generated by Access rules and Inspection rules are compressed.
Max Log Rate The maximum number of separately logged entries per second.
Max Burst Size The maximum number of separately logged entries.
Logging Enforcements Options that control what information is included in the log data.
Log User Information
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Information about Users is included in the log data if information about the User is cached for the connection. Otherwise, only the IP address associated with the User at the time the log is created is included in the log data. Access control by user must be enabled.
  • Off — Information about Users is not included in the log data.
  • Enforced — Information about Users is always included in the log data if information about the User is available in the user database. If information about the User is not cached for the connection, the NGFW Engine resolves the User information from the IP address. Access control by user must be enabled.
Log Network Applications
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Information about Application detection is included in the log data if the information is available without additional inspection.
  • Off — Information about Application detection is not included in the log data.
    Note: This does not disable Application detection in the Access rules.
  • Enforced — Information about Application detection is always included in the log data if the Application can be identified. Even if Deep Inspection is not enabled, the NGFW Engine may send matching connections for checking against the Inspection Policy to identify the Application. TLS connections may be decrypted if this is necessary to identify the Application.
    Note:

    If TLS Credentials or a Client Protection Certificate Authority have been uploaded to the NGFW Engine, selecting Enforced may enable the decryption of the following TLS traffic:

    • TLS traffic from Applications that cannot be identified based on cached Application information
    • TLS traffic that matches an Access rule that enables Deep Inspection if the Service cell contains an Application or a Service that does not include a Protocol Agent
    • TLS traffic for which there is no TLS Match with the Deny Decrypting option that excludes the traffic from TLS Inspection.

Other TLS traffic is decrypted only if an Access rule enables decryption and there is no TLS Match with the Deny Decrypting option that excludes the traffic from TLS Inspection.

Log URL Categories Enables the logging of the URL categories that the traffic matches.
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — URL categories are included in the log data for matching traffic when URL Categories are used as matching criteria in the rule.
  • Off — URL categories are not included in the log data.
  • Enforced — URL categories are always included in the log data if the URL category can be identified.
Log Endpoint Information

Enables the logging of endpoint information.

  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Endpoint information is included in the log data for matching traffic when endpoint information is used as matching criteria in the rule.
  • Off — Endpoint information is not included in the log data.
  • Enforced — Endpoint information is always included in the log data if the endpoint information can be identified.
Store Additional Protocol Details
  • Inherited from Continue Rule(s) — Additional protocol details are included in the log data for matching traffic according to settings defined in Continue rules higher up in the policy.
  • On — Additional protocol details are included in the log data for matching traffic.
  • Off —Additional protocol details are not included in the log data.