AnsweredAssumed Answered

What does a successful network connection from firewall mean?

Question asked by Visham Rawat on Aug 14, 2018
Latest reply on Aug 15, 2018 by Eric Partington

Like • Show 0 Likes0
Comment • 5

Action = Allow

Event Category Name = Network.Connections.Successful

Event Activity = Permit

Device = Firewall

Src IP = Internal IP

Dst IP = Public IP

Dst Port = PortNo.

In such a situation, what exactly does it mean - has the internal IP successfully connected to portno. on public IP, or has the firewall merely allowed the request/probe from the internal IP to go through unimpeded to the public IP?

Can such logs from the firewall tell us, that a connection was established between the 2 servers, or does it simply tell us that the internal IP's request was forwarded to the public IP, however, what happened with the request thereafter is unknown (from this particular event log).

Please help clarify.

No one else has this question

Outcomes

5 Replies

Dave Glover Aug 14, 2018 11:44 AM
Mark Correct
Correct Answer
What type of firewall is this? The reason I ask is that with Cisco there are two types of messages. A build and a teardown. The build is the intention and the teardown is the actual result.

Also typically I will also look at the bytes sent and received. 0 bytes received shows me the connection was not successful
Like • Show 0 Likes0
Actions
- Visham Rawat @ Dave Glover on Aug 14, 2018 11:59 AM
  Mark Correct
  Correct Answer
  Hi Dave,
  
  It's a Palo Alto firewall.
  
  I don't see any bytes received in these event logs - although the bytes (sent) certainly have value, anywhere from around 100 to 1 million bytes.
  
  Here's what I get in the event logs from PA FW -
  action, alert_id, analysis_session, bytes, bytes_src, category, city_dst, country_dst, country_src, device_class, device_group, device_ip, device_type, did, direction, duration_time, ec_activity, , ec_theme, esa_time, event_cat_name, event_source_id, event_time, feed_name, filter, forward_ip, header_id, inv_category, inv_context, ip_dst, ip_dstport,
  ip_src, lc_cid, level, medium, msg_id, netname, org_dst, policy_name, result, rid, sessionid, size, time, vsys
  
  There is however a size variable being recorded as well, which also does have a value, although I'm not sure if it's in bytes and whether it is recording the response. Also, what I've noticed from a couple of alerts - the value of size doesn't seem to vary much across the events, pretty static at around 570 - 580.
  Like • Show 0 Likes0
  Actions
  - Dave Glover @ Visham Rawat on Aug 14, 2018 12:12 PM
    Mark Correct
    Correct Answer
    You can not use the "size" key as that's the size of the log message.
    
    In looking at some of my PA logs I see the following in my Traffic Logs:
    
    May 3 14:55:45 PA-VM 1,2018/05/03 14:55:44,007251111087537,TRAFFIC,end,1,2018/05/03 14:55:44,192.168.30.11,13.57.149.247,66.140.62.11,13.57.149.247,Outbound Traffic,,,splashtop-remote,vsys1,Internal,Internet,ethernet1/2,ethernet1/1,Netwitness,2018/05/03 14:55:44,424,1,64292,443,63217,443,0x40004d,tcp,allow,13636,1535,12101,26,2018/05/03 14:54:13,61,computer-and-internet-info,0,208,0x0,192.168.0.0-192.168.255.255,United States,0,12,14,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A
    
    (bytes) Bytes= 13636
    (bytes.src)Send Bytes= 1535
    (rbytes) Receive Bytes=12101
    
    Threat,URL logs do not have byte counts
    Like • Show 1 Like1
    Actions
    - Visham Rawat @ Dave Glover on Aug 15, 2018 9:25 AM
      Mark Correct
      Correct Answer
      Okay, I do see something similar in the raw logs.
      ... ,tcp,allow,99267,2660,96607, ...
      
      So the Event Meta is as follows
      bytes = 99267
      bytes src = 2660
      
      These keys I take it are not indexed, but enabled for tagging, right?
      
      What I don't see in the Event Meta is the rbytes key. As you've stated above, rbytes should = 96607, which essentially means this is an established connection, correct?
      
      Also, the default built-in paloaltonetworks parser is not tagging rbytes, in my case, right?
      Like • Show 0 Likes0
      Actions
Eric Partington Aug 15, 2018 3:10 PM
Mark Correct
Correct Answer
if you are asking what the log message from PaloAlto means for session connections etc, that would be a question for your PA rep/forum. There is a listing on their site for log messages, ID messages etc with a description of what they mean. RSA accepts those messages and tags them in the SIEM.

As for what that means for the firewall (accept, connect, timeout) those are PaloAlto questions.

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/use-syslog-for-monitoring/syslog-field-descriptions
Like • Show 0 Likes0
Actions

What does a successful network connection from firewall mean?

Outcomes

Related Content

Recommended Content