topic Re: how to filter traffic log by using CLI ? in Firewall and Security Management

how to filter traffic log by using CLI ?

yongjun_jin — Mon, 14 Jan 2019 03:07:53 GMT

Hello. I would like to find specific traffic log by using CLI ( for example src IP, dst IP, dst Port, time...)

I found command 'fw log' but I can't use filter.

( also I have to use AND condition)

I tried to use grep command and pipe command. It did not work.

gw-18ee86> fw log -n -h
Missing origin
Usage:
fw log [-f|-t] [-x start_pos] [-y end_pos] [-z] [-n] [-p] [-l] [-o] [-g] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-k (alert_type|all)] [-a] [-u unification_scheme_file] [-m (initial|semi|raw)] [logfile]
-f - Only in case of active log file - Upon reaching end of file, wait for new records and print them as well.
-t - Same as -f flag, only start at end of file.
-x - Start printing at the specified position.
-y - End printing at the specified position.
-z - Continue printing the next records, in case of an error. Default is to stop printing
-n - No IP resolving. Default is to resolve all IPs.
-p - No port resolving. Default is to resolve all ports.
-q - Show log header fields names.
-i - Show log Uid.
-l - Show date and time per log record. Default is to show the date above the relevant records, and then the time per log record.
-o - Show detailed log chains - all the log segments a log record consists of.
-g - Not delimited style. Default is ':' after field name and ';' after field value.
-c - Selection by action, e.g., accept, drop, reject, etc.
-h - Selection by origin, given as IP or name.
-s - Selection by start time. See format below. All records after the given time will be selected.
-e - Selection by end time. See format below. All records before the given time will be selected.
-b - Selection by time range. See format below. Start and End time are expected after the flag.
-k - Selection by specific alert type. Default is 'all' for any alert type.
-a - Select account records only. Default is print all records.
-u - Unification scheme file name. Default is log_unification_scheme.C.
-m - Unification mode: initial-order, semi-unified, or raw. Default is 'initial'.
logfile - Log file name. Default is the active log file, fw.log.

I use AWS Instance(R80.10) standalone model.

Thank you.

Re: how to filter traffic log by using CLI ?

PhoneBoy — Mon, 14 Jan 2019 04:07:50 GMT

fw log only looks at one log file at a time (the current log).

In R80.x, the firewall log is automatically rotated at midnight, so at most you'll see up to the last 24 hours.

You can have fw log read previous logs but only one log at a time can be examined.

Also, the -h option is meant to read logs from a different host, which is not applicable in your configuration.

fw log offers no search capabilities.

You would have to pipe the output thru grep or some other tool capable of searching the output.

Re: how to filter traffic log by using CLI ?

yongjun_jin — Mon, 14 Jan 2019 05:32:24 GMT

thank you.

I found the way filtering log.

expert mode

clish -c "fw log -n -p" | grep 'src: 1.2.3.4;.*dst: 2.3.4.5;.*sport_svc: 443;'

but I have a question about this.

[Expert@gw-18ee86:0]# clish -c "fw log -n -p" | grep 'src: 172.31.6.61;.*dst: 61.219.11.151.*sport_svc: 443;'
10:19:30 5 N/A 1 drop 172.31.6.61 < eth0 LogId: 1; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-PUSH-ACK; src: 172.31.6.61; dst: 61.219.11.151; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: 64006; sport_svc: 443; ProductFamily: Network;

In this result, svc is source and sport_svc is dest ???

or is it the opposite???

Re: how to filter traffic log by using CLI ?

Danny — Mon, 14 Jan 2019 09:23:17 GMT

sport = source port

dport = destination port

Re: how to filter traffic log by using CLI ?

yongjun_jin — Tue, 15 Jan 2019 06:47:53 GMT

Hi Danny Jung.

I know sport means source port and dport means destination port.

but this log only show svc and sport_svc(estimated to be a port)

I don't know why this log doesn't have dport.

I guess One of them is the destination port.

thank you.

Re: how to filter traffic log by using CLI ?

PhoneBoy — Tue, 15 Jan 2019 13:38:38 GMT

svc is "service" I.e. Destination port. In some cases it will not be a numeric value but rather a name.

Re: how to filter traffic log by using CLI ?

yongjun_jin — Wed, 16 Jan 2019 06:05:30 GMT

thank you for your reply.

I have one more question.

I found that drop log have src, dst, srv but accpet log only have ruleId.

can I get same thing(src, dst, srv) from accept log ?

[Expert@gw-18ee86:0]# fw log -n -p -c drop
14:45:45 5 N/A 1 drop 172.31.6.61 > eth0 LogId: 1; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; TCP packet out of state: First packet isn't SYN; tcp_flags: RST; src: 101.109.41.74; dst: 172.31.6.61; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: 1433; sport_svc: 45194; ProductFamily: Network;
[Expert@gw-18ee86:0]# fw log -n -p -c accept
Date: Jan 16, 2019
8:07:08 5 N/A 1 accept 172.31.6.61 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; rule_guid: {4A3B1474-A403-4742-893D-E501A5C5C5B0}; hit: 3; policy: fw1; first_hit_time: 1547593568; last_hit_time: 1547593621; log_id: 10; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

Re: how to filter traffic log by using CLI ?

PhoneBoy — Wed, 16 Jan 2019 14:58:37 GMT

At least on R80.20, I appear to be getting the desired information with the same command line.

That said, I am not checking on a standalone box in AWS, but rather a management station I'm running in VMware.

Perhaps there is something in the rule--can you post a screenshot of the rule that is supposedly accepting this traffic?