Enable logging of endpoint information

Logging of endpoint information allows you to view endpoint client information and users in log data and Report elements.

By default, endpoint information is logged when it is used for matching in the Access rules. You can optionally set endpoint information to be logged whenever it is received.

For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Open the policy for editing.
  2. In an Access rule where Endpoint Application or Endpoint Settings elements are used, double-click the Logging cell.
  3. Make sure Override Recording Settings Inherited from Continue Rule(s) is enabled.
  4. In the Log User Information and Log Endpoint Information drop-down lists, select the appropriate logging option.
    Note: In order to log user information, both Log User Information and Log Endpoint Information must be set to Enforced.
  5. Click OK.
  6. Save and install the policy to transfer the changes to the engines.

Logging - Select Rule Options dialog box

Use this dialog box to define Access rule logging options.

Option Definition
Override Settings Inherited from Continue Rule(s) When selected, overrides settings defined in Continue rules higher up in the policy.
Log Level Select one of these options:
  • None — Does not create any log entry.
  • Transient — Creates a log entry that is displayed in the Current Events mode in the Logs view, but is not stored.
  • Stored — Creates a log entry that is stored on the Log Server.
  • Essential — Creates a log entry that is shown in the Logs view and saved for further use.
  • Alert — Triggers the alert you select.
Alert When the Log Level is set to Alert, specifies the Alert that is sent.
Severity When the Log Level is set to Alert, allows you to override the severity defined in the Alert element.
Connection Closing Select one of these options:
  • No log — No log entries are created when connections are closed.
  • Normal log — Both connection opening and closing are logged, but no information is collected on the volume of traffic.
  • Log Accounting Information — Both connection opening and closing are logged and information on the volume of traffic is collected. The Connection Closing option is not available for rules that issue Alerts.

    If you want to create reports that are based on traffic volume, you must select this option for all rules that allow traffic that you want to include in the reports.

    If you want to forward log data in the NetFlow or IPFIX format from the Log Server to a third-party device, you must select this option in the rule that creates the log data.

Compress Logs When enabled, creates a single log entry that contains information about the total number of the generated log entries when the limits defined in the Max Log Rate or Max Burst Size are reached. After the single log entry is created, logging returns to normal and all generated entries are logged and shown separately.
  • Don't Compress — Log compression is disabled.
  • Compress only Access Logs — Only logs generated by Access rules are compressed.
  • Compress also Inspection Logs — Logs generated by Access rules and Inspection rules are compressed.
Max Log Rate The maximum number of separately logged entries per second.
Max Burst Size The maximum number of separately logged entries.
Logging Enforcements Options that control what information is included in the log data.
Log User Information
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Information about Users is included in the log data if information about the User is cached for the connection. Otherwise, only the IP address associated with the User at the time the log is created is included in the log data. Access control by user must be enabled.
  • Off — Information about Users is not included in the log data.
  • Enforced — Information about Users is always included in the log data if information about the User is available in the user database. If information about the User is not cached for the connection, the NGFW Engine resolves the User information from the IP address. Access control by user must be enabled.
Log Network Applications
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Information about Application detection is included in the log data if the information is available without additional inspection.
  • Off — Information about Application detection is not included in the log data.
    Note: This does not disable Application detection in the Access rules.
  • Enforced — Information about Application detection is always included in the log data if the Application can be identified. Even if Deep Inspection is not enabled, the NGFW Engine may send matching connections for checking against the Inspection Policy to identify the Application. TLS connections may be decrypted if this is necessary to identify the Application.
    Note:

    If TLS Credentials or a Client Protection Certificate Authority have been uploaded to the NGFW Engine, selecting Enforced may enable the decryption of the following TLS traffic:

    • TLS traffic from Applications that cannot be identified based on cached Application information
    • TLS traffic that matches an Access rule that enables Deep Inspection if the Service cell contains an Application or a Service that does not include a Protocol Agent
    • TLS traffic for which there is no TLS Match with the Deny Decrypting option that excludes the traffic from TLS Inspection.

Other TLS traffic is decrypted only if an Access rule enables decryption and there is no TLS Match with the Deny Decrypting option that excludes the traffic from TLS Inspection.

Log URL Categories Enables the logging of the URL categories that the traffic matches.
  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — URL categories are included in the log data for matching traffic when URL Categories are used as matching criteria in the rule.
  • Off — URL categories are not included in the log data.
  • Enforced — URL categories are always included in the log data if the URL category can be identified.
Log Endpoint Information

Enables the logging of endpoint information.

  • Inherited from Continue Rule(s) — Information is included in the log data according to settings defined in Continue rules higher up in the policy.
  • Default — Endpoint information is included in the log data for matching traffic when endpoint information is used as matching criteria in the rule.
  • Off — Endpoint information is not included in the log data.
  • Enforced — Endpoint information is always included in the log data if the endpoint information can be identified.
Store Additional Protocol Details
  • Inherited from Continue Rule(s) — Additional protocol details are included in the log data for matching traffic according to settings defined in Continue rules higher up in the policy.
  • On — Additional protocol details are included in the log data for matching traffic.
  • Off —Additional protocol details are not included in the log data.