Fortinet white logo
Fortinet white logo

Hyperscale Firewall Guide

Hardware logging for hyperscale firewall polices that block sessions

Hardware logging for hyperscale firewall polices that block sessions

Hardware logging supports the following features related to hyperscale firewall policies that block sessions, that is hyperscale firewall policies with action set to deny:

  • You can enable hardware logging for hyperscale firewall policies with action set to deny. Hardware logging creates a log message for each session that is blocked.

  • Hardware session information includes information about whether the session blocked traffic. For example, when displaying session information from the CLI, a field similar to the following appears to indicate that the session blocked traffic: Session action (DROP/TO-HOST): DROP.

Hardware log messages indicate if the session accepted or denied traffic. For example:

  • Example log messages for a policy that accepts traffic:

    Oct 5 23:29:33 172.16.200.26 date=2022-10-06 time=02:29:32 sn=F2K61FTK21900840 vd=cgn-hw1 pid=805306369 type=sess act=start tran=snat proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40836 dport=80 nsip=172.16.201.182 ndip=172.16.200.155 nsport=8117 ndport=80 sentp=0 sentb=0 rcvdp=0 rcvdb=0

    Oct 5 23:29:36 172.16.200.26 date=2022-10-06 time=02:29:35 sn=F2K61FTK21900840 vd=cgn-hw1 pid=805306369 type=sess act=end tran=snat proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40836 dport=80 nsip=172.16.201.182 ndip=172.16.200.155 nsport=8117 ndport=80 dur=2936 sentp=6 sentb=398 rcvdp=4 rcvdb=1307

    Decimal version of the pid = 805306369

    Binary version of the pid = 0011 0000 0000 0000 0000 0000 0000 0001

    pid[30] is ‘0’ for accept action (count from bit0 to bit31 and right to left)

  • Example log messages for a policy that blocks or denies traffic:

    Oct 5 23:31:49 172.16.200.26 date=2022-10-06 time=02:31:49 sn=F2K61FTK21900840 vd=cgn-hw1 pid=1946157057 type=sess act=start tran=none proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40837 dport=80 nsip=10.1.100.11 ndip=172.16.200.155 nsport=40837 ndport=80 sentp=0 sentb=0 rcvdp=0 rcvdb=0

    Oct 5 23:32:02 172.16.200.26 date=2022-10-06 time=02:32:01 sn=F2K61FTK21900840 vd=cgn-hw1 pid=1946157057 type=sess act=end tran=none proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40837 dport=80 nsip=10.1.100.11 ndip=172.16.200.155 nsport=40837 ndport=80 dur=12719 sentp=2 sentb=120 rcvdp=0 rcvdb=0

    Decimal version of the pid = 1946157057

    Binary version of the pid = 0111 0100 0000 0000 0000 0000 0000 0001

    pid[30] is ‘1’ for deny action (count from bit0 to bit31 and right to left)

Hardware logging for hyperscale firewall polices that block sessions

Hardware logging for hyperscale firewall polices that block sessions

Hardware logging supports the following features related to hyperscale firewall policies that block sessions, that is hyperscale firewall policies with action set to deny:

  • You can enable hardware logging for hyperscale firewall policies with action set to deny. Hardware logging creates a log message for each session that is blocked.

  • Hardware session information includes information about whether the session blocked traffic. For example, when displaying session information from the CLI, a field similar to the following appears to indicate that the session blocked traffic: Session action (DROP/TO-HOST): DROP.

Hardware log messages indicate if the session accepted or denied traffic. For example:

  • Example log messages for a policy that accepts traffic:

    Oct 5 23:29:33 172.16.200.26 date=2022-10-06 time=02:29:32 sn=F2K61FTK21900840 vd=cgn-hw1 pid=805306369 type=sess act=start tran=snat proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40836 dport=80 nsip=172.16.201.182 ndip=172.16.200.155 nsport=8117 ndport=80 sentp=0 sentb=0 rcvdp=0 rcvdb=0

    Oct 5 23:29:36 172.16.200.26 date=2022-10-06 time=02:29:35 sn=F2K61FTK21900840 vd=cgn-hw1 pid=805306369 type=sess act=end tran=snat proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40836 dport=80 nsip=172.16.201.182 ndip=172.16.200.155 nsport=8117 ndport=80 dur=2936 sentp=6 sentb=398 rcvdp=4 rcvdb=1307

    Decimal version of the pid = 805306369

    Binary version of the pid = 0011 0000 0000 0000 0000 0000 0000 0001

    pid[30] is ‘0’ for accept action (count from bit0 to bit31 and right to left)

  • Example log messages for a policy that blocks or denies traffic:

    Oct 5 23:31:49 172.16.200.26 date=2022-10-06 time=02:31:49 sn=F2K61FTK21900840 vd=cgn-hw1 pid=1946157057 type=sess act=start tran=none proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40837 dport=80 nsip=10.1.100.11 ndip=172.16.200.155 nsport=40837 ndport=80 sentp=0 sentb=0 rcvdp=0 rcvdb=0

    Oct 5 23:32:02 172.16.200.26 date=2022-10-06 time=02:32:01 sn=F2K61FTK21900840 vd=cgn-hw1 pid=1946157057 type=sess act=end tran=none proto=6 ipold=v4 ipnew=v4 sip=10.1.100.11 dip=172.16.200.155 sport=40837 dport=80 nsip=10.1.100.11 ndip=172.16.200.155 nsport=40837 ndport=80 dur=12719 sentp=2 sentb=120 rcvdp=0 rcvdb=0

    Decimal version of the pid = 1946157057

    Binary version of the pid = 0111 0100 0000 0000 0000 0000 0000 0001

    pid[30] is ‘1’ for deny action (count from bit0 to bit31 and right to left)