Action = Allow
Event Category Name = Network.Connections.Successful
Event Activity = Permit
Device = Firewall
Src IP = Internal IP
Dst IP = Public IP
Dst Port = PortNo.
In such a situation, what exactly does it mean - has the internal IP successfully connected to portno. on public IP, or has the firewall merely allowed the request/probe from the internal IP to go through unimpeded to the public IP?
Can such logs from the firewall tell us, that a connection was established between the 2 servers, or does it simply tell us that the internal IP's request was forwarded to the public IP, however, what happened with the request thereafter is unknown (from this particular event log).
Please help clarify.
What type of firewall is this? The reason I ask is that with Cisco there are two types of messages. A build and a teardown. The build is the intention and the teardown is the actual result.
Also typically I will also look at the bytes sent and received. 0 bytes received shows me the connection was not successful