Create a Post
Showing results for 
Search instead for 
Did you mean: 

Always show last matched rule number & name in logs

It would be nice if could set the log view to show the last matching rule number and name all the time. For some reason there's a difference for allowed and blocked traffic. If allowed, it will show the first matching rule in the logs view, if blocked, it shows the last matching rule.

This became very annoying after implementing layered policies, specifically for Geo IP filtering as discussed here. Now, the "Access Rule Number" and "Access Rule Name" column in the logs shows "Geo IP" for all Allowed traffic and the block rule number & name for all blocked traffic.

This makes the two columns in the log view practically worthless, so I'm a little suspect that there's already a fix out there, but I'm not finding anything.

A typical example "Matched Rules" section for an Accept looks something like this:

- 6 | Geo IP | Geo IP Cleanup | Accept

- 17 | General | GroupARules | Inline

- 17.45 | Group A | GroupAServices | Inline

- 17.45.23 | Group A Service | DNS | Accept

But in the firewall log, you will always see the "Access Rule Number: 6" and "Access Rule Name: Geo IP".

0 Kudos
2 Replies

Thanks for this feedback.

We'll try to look internally to better understand why there is a difference in behavior.

BTW, do you think that it makes sense for all customers and all cases to always show the last matching rule? (assuming that this remains a "single value" field)

0 Kudos

Yes, it makes sense for all customers and all cases to show the last matching rule. I think any other way changes the purpose of the log view, which is to see why a packet was allowed or blocked.

0 Kudos