Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
David_Charnon
Collaborator

Log accounting best practice and field explanation

We have enabled "Accounting" on a number of rules on our internet facing gateways in the Security and Application layers (using ordered layers) and I am curious to hear what others have used as a best practice for Accounting settings. In general, we want to know how much data is being uploaded/downloaded by our internal hosts. Should we have Accounting enabled for both the Security rules which are matched and the corresponding Application rules? If only in one layer, which?

Also, I'm looking for an explanation for these log fields:

Client Inbound Bytes

Client Outbound Bytes

Server Inbound Bytes

Server Outbound Bytes

The data in the fields Client Inbound Bytes and Server Outbound Bytes generally match, the data in the fields Client Outbound Bytes and Server Inbound Bytes are close but often do not match.  Seems to me "Client Outbound Bytes" equals what an internal client has downloaded, which is counter-intuitive ti me. Anyone know of detailed documentation about these fields?

 

Thanks

Dave

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Client: Source of connection
Server: Destination of connection
Inbound: Being sent from client/server
Outbound: Being received by client/server

If NAT is involved, the numbers may not match as IPs may be getting modified in the data portion.
Also adding things like an X-Forwarded-For header will add bytes to the connection.

As far as which layer you say "accounting" for, not sure it matters.
Note that App Control rules with Detailed or Extended logs will also tend to include this information.
0 Kudos
David_Charnon
Collaborator

Thank you, that clears it up.

 

Dave

0 Kudos