What does a successful network connection from firewall mean?
Action = Allow
Event Category Name = Network.Connections.Successful
Event Activity = Permit
Device = Firewall
Src IP = Internal IP
Dst IP = Public IP
Dst Port = PortNo.
In such a situation, what exactly does it mean - has the internal IP successfully connected to portno. on public IP, or has the firewall merely allowed the request/probe from the internal IP to go through unimpeded to the public IP?
Can such logs from the firewall tell us, that a connection was established between the 2 servers, or does it simply tell us that the internal IP's request was forwarded to the public IP, however, what happened with the request thereafter is unknown (from this particular event log).
Please help clarify.
- Community Thread
- Forum Thread
- netwitness alerts
- netwitness investigation
- netwitness logs & netwitness
- NetWitness Platform
- RSA NetWitness
- RSA NetWitness Platform
- sa alerts
- SA IM
- sa investigation
What type of firewall is this? The reason I ask is that with Cisco there are two types of messages. A build and a teardown. The build is the intention and the teardown is the actual result.
Also typically I will also look at the bytes sent and received. 0 bytes received shows me the connection was not successful
It's a Palo Alto firewall.
I don't see any bytes received in these event logs - although the bytes (sent) certainly have value, anywhere from around 100 to 1 million bytes.
Here's what I get in the event logs from PA FW -
action, alert_id, analysis_session, bytes, bytes_src, category, city_dst, country_dst, country_src, device_class, device_group, device_ip, device_type, did, direction, duration_time, ec_activity, , ec_theme, esa_time, event_cat_name, event_source_id, event_time, feed_name, filter, forward_ip, header_id, inv_category, inv_context, ip_dst, ip_dstport,
ip_src, lc_cid, level, medium, msg_id, netname, org_dst, policy_name, result, rid, sessionid, size, time, vsys
There is however a size variable being recorded as well, which also does have a value, although I'm not sure if it's in bytes and whether it is recording the response. Also, what I've noticed from a couple of alerts - the value of size doesn't seem to vary much across the events, pretty static at around 570 - 580.
You can not use the "size" key as that's the size of the log message.
In looking at some of my PA logs I see the following in my Traffic Logs:
May 3 14:55:45 PA-VM 1,2018/05/03 14:55:44,007251111087537,TRAFFIC,end,1,2018/05/03 14:55:44,192.168.30.11,220.127.116.11,18.104.22.168,22.214.171.124,Outbound Traffic,,,splashtop-remote,vsys1,Internal,Internet,ethernet1/2,ethernet1/1,Netwitness,2018/05/03 14:55:44,424,1,64292,443,63217,443,0x40004d,tcp,allow,13636,1535,12101,26,2018/05/03 14:54:13,61,computer-and-internet-info,0,208,0x0,192.168.0.0-192.168.255.255,United States,0,12,14,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A
(bytes) Bytes= 13636
(bytes.src)Send Bytes= 1535
(rbytes) Receive Bytes=12101
Threat,URL logs do not have byte counts
Okay, I do see something similar in the raw logs.
... ,tcp,allow,99267,2660,96607, ...
So the Event Meta is as follows
bytes = 99267
bytes src = 2660
These keys I take it are not indexed, but enabled for tagging, right?
What I don't see in the Event Meta is the rbytes key. As you've stated above, rbytes should = 96607, which essentially means this is an established connection, correct?
Also, the default built-in paloaltonetworks parser is not tagging rbytes, in my case, right?
if you are asking what the log message from PaloAlto means for session connections etc, that would be a question for your PA rep/forum. There is a listing on their site for log messages, ID messages etc with a description of what they mean. RSA accepts those messages and tags them in the SIEM.
As for what that means for the firewall (accept, connect, timeout) those are PaloAlto questions.