Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
B_P
Collaborator

Always show last matched rule number & name in logs

It would be nice if could set the log view to show the last matching rule number and name all the time. For some reason there's a difference for allowed and blocked traffic. If allowed, it will show the first matching rule in the logs view, if blocked, it shows the last matching rule.

This became very annoying after implementing layered policies, specifically for Geo IP filtering as discussed here. Now, the "Access Rule Number" and "Access Rule Name" column in the logs shows "Geo IP" for all Allowed traffic and the block rule number & name for all blocked traffic.

This makes the two columns in the log view practically worthless, so I'm a little suspect that there's already a fix out there, but I'm not finding anything.

A typical example "Matched Rules" section for an Accept looks something like this:

- 6 | Geo IP | Geo IP Cleanup | Accept

- 17 | General | GroupARules | Inline

- 17.45 | Group A | GroupAServices | Inline

- 17.45.23 | Group A Service | DNS | Accept

But in the firewall log, you will always see the "Access Rule Number: 6" and "Access Rule Name: Geo IP".

0 Kudos
2 Replies
Tomer_Noy
Employee
Employee

Thanks for this feedback.

We'll try to look internally to better understand why there is a difference in behavior.

BTW, do you think that it makes sense for all customers and all cases to always show the last matching rule? (assuming that this remains a "single value" field)

0 Kudos
B_P
Collaborator

Yes, it makes sense for all customers and all cases to show the last matching rule. I think any other way changes the purpose of the log view, which is to see why a packet was allowed or blocked.

0 Kudos