Logging IP address threat feeds in sniffer mode

In sniffer mode, you can record traffic logs each time a source or destination address matches an IP address on an external threat feed.

config firewall sniffer
    edit <id>
        set logtraffic all
        set interface <interface>
        set ip-threatfeed-status {enable | disable}
        set ip-threatfeed <threat feed> ...
    next
end

ip-threatfeed-status {enable | disable}	Enable/disable the IP threat feed.
ip-threatfeed <threat feed> ...	The name of an existing IP threat feed.

When the IP matches multiple threat feeds, the sniffer log will use the last external connector in the configuration, which is different from the normal firewall policy log that uses the first external connector in the configuration.

When the threat feed is enabled and configured in a sniffer policy, as long as the traffic IP matches threat feed, there will be a traffic log for it (even if logtraffic is set to all or utm).

To configure a sniffer policy to log the threat feed:

1. Enable inserting address UUIDs in traffic logs:

   config system global
       set log-uuid-address enable
   end

2. Configure the sniffer policy:

   config firewall sniffer
       edit 1
           set logtraffic all 
           set ipv6 enable
           set interface "port3"
           set ip-threatfeed-status enable
           set ip-threatfeed "g-source"
       next
   end

Sample log

1: date=2021-01-26 time=15:51:37 eventtime=1611705097880421908 tz="-0800" logid="0004000017" type="traffic" subtype="sniffer" level="notice" vd="vd1" srcip=10.1.100.12 srcport=34604 srcintf="port3" srcintfrole="undefined" dstip=172.16.200.55 dstport=80 dstintf="port3" dstintfrole="undefined" srcthreatfeed="g-source" srccountry="Reserved" dstcountry="Reserved" sessionid=30384 proto=6 action="accept" policyid=1 policytype="sniffer" service="HTTP" trandisp="snat" transip=0.0.0.0 transport=0 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 rcvdpkt=0 appcat="unscanned"