Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
yongjun_jin
Participant

how to filter traffic log by using CLI ?

Hello. I would like to find specific traffic log by using CLI ( for example src IP, dst IP, dst Port, time...)

I found command 'fw log' but I can't use filter.

( also I have to use AND condition)

I tried to use grep command and pipe command. It did not work.

gw-18ee86> fw log -n -h
Missing origin

Usage:
fw log [-f|-t] [-x start_pos] [-y end_pos] [-z] [-n] [-p] [-l] [-o] [-g] [-c action] [-h host] [-s starttime] [-e endtime] [-b starttime endtime] [-k (alert_type|all)] [-a] [-u unification_scheme_file] [-m (initial|semi|raw)] [logfile]

-f - Only in case of active log file - Upon reaching end of file, wait for new records and print them as well.
-t - Same as -f flag, only start at end of file.
-x - Start printing at the specified position.
-y - End printing at the specified position.
-z - Continue printing the next records, in case of an error. Default is to stop printing
-n - No IP resolving. Default is to resolve all IPs.
-p - No port resolving. Default is to resolve all ports.
-q - Show log header fields names.
-i - Show log Uid.
-l - Show date and time per log record. Default is to show the date above the relevant records, and then the time per log record.
-o - Show detailed log chains - all the log segments a log record consists of.
-g - Not delimited style. Default is ':' after field name and ';' after field value.
-c - Selection by action, e.g., accept, drop, reject, etc.
-h - Selection by origin, given as IP or name.
-s - Selection by start time. See format below. All records after the given time will be selected.
-e - Selection by end time. See format below. All records before the given time will be selected.
-b - Selection by time range. See format below. Start and End time are expected after the flag.
-k - Selection by specific alert type. Default is 'all' for any alert type.
-a - Select account records only. Default is print all records.
-u - Unification scheme file name. Default is log_unification_scheme.C.
-m - Unification mode: initial-order, semi-unified, or raw. Default is 'initial'.
logfile - Log file name. Default is the active log file, fw.log.

I use AWS Instance(R80.10) standalone model.

Thank you.

7 Replies
PhoneBoy
Admin
Admin

fw log only looks at one log file at a time (the current log).

In R80.x, the firewall log is automatically rotated at midnight, so at most you'll see up to the last 24 hours.

You can have fw log read previous logs but only one log at a time can be examined.

Also, the -h option is meant to read logs from a different host, which is not applicable in your configuration.

fw log offers no search capabilities.

You would have to pipe the output thru grep or some other tool capable of searching the output.

0 Kudos
yongjun_jin
Participant

thank you.

I found the way filtering log.

expert mode 

clish -c "fw log -n -p" | grep 'src: 1.2.3.4;.*dst: 2.3.4.5;.*sport_svc: 443;'

but I have a question about this.

[Expert@gw-18ee86:0]# clish -c "fw log -n -p" | grep 'src: 172.31.6.61;.*dst: 61.219.11.151.*sport_svc: 443;'
10:19:30 5 N/A 1 drop 172.31.6.61 < eth0 LogId: 1; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-PUSH-ACK; src: 172.31.6.61; dst: 61.219.11.151; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: 64006; sport_svc: 443; ProductFamily: Network;

In this result, svc is source and sport_svc is dest ???

or is it the opposite???

0 Kudos
Danny
Champion Champion
Champion

sport = source port

dport = destination port

0 Kudos
yongjun_jin
Participant

[Expert@gw-18ee86:0]# clish -c "fw log -n -p" | grep 'src: 172.31.6.61;.*dst: 61.219.11.151.*sport_svc: 443;'
10:19:30 5 N/A 1 drop 172.31.6.61 < eth0 LogId: 1; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; TCP packet out of state: First packet isn't SYN; tcp_flags: FIN-PUSH-ACK; src: 172.31.6.61; dst: 61.219.11.151; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: 64006; sport_svc: 443; ProductFamily: Network;

Hi Danny Jung.

I know sport means source port and dport means destination port.

but this log only show svc and sport_svc(estimated to be a port)

I don't know why this log doesn't have dport.

I guess One of them is the destination port.

thank you. 

0 Kudos
PhoneBoy
Admin
Admin

svc is "service" I.e. Destination port. In some cases it will not be a numeric value but rather a name.

0 Kudos
yongjun_jin
Participant

thank you for your reply.

I have one more question.

I found that drop log have src, dst, srv but accpet log only have ruleId.

can I get same thing(src, dst, srv) from accept log ?

[Expert@gw-18ee86:0]# fw log -n -p -c drop

14:45:45 5 N/A 1 drop 172.31.6.61 > eth0 LogId: 1; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; TCP packet out of state: First packet isn't SYN; tcp_flags: RST; src: 101.109.41.74; dst: 172.31.6.61; proto: tcp; ProductName: VPN-1 & FireWall-1; svc: 1433; sport_svc: 45194; ProductFamily: Network;

[Expert@gw-18ee86:0]# fw log -n -p -c accept
Date: Jan 16, 2019
8:07:08 5 N/A 1 accept 172.31.6.61 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; OriginSicName: cn=cp_mgmt,o=gw-18ee86..hu5ufg; HighLevelLogKey: 18446744073709551615; rule_guid: {4A3B1474-A403-4742-893D-E501A5C5C5B0}; hit: 3; policy: fw1; first_hit_time: 1547593568; last_hit_time: 1547593621; log_id: 10; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

0 Kudos
PhoneBoy
Admin
Admin

At least on R80.20, I appear to be getting the desired information with the same command line.

That said, I am not checking on a standalone box in AWS, but rather a management station I'm running in VMware.

Perhaps there is something in the rule--can you post a screenshot of the rule that is supposedly accepting this traffic?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events