Firewall Messages

Vendor Documentation

https://www.forcepoint.com/product/ngfw-next-generation-firewall
https://help.stonesoft.com/onlinehelp/StoneGate/SMC/6.5.0/GUID-71291199-8540-496C-A4DF-52A69E8FE227.html
https://support.forcepoint.com/KBArticle?id=000015002
https://www.websense.com/content/support/library/ngfw/v64/mgmt/ngfw_640_pg_a_en-us.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
Firewall Messages	Base Rule	General Firewall Log	Network Traffic
1004 : FW_Related-Connection	Sub Rule	Traffic Allowed by Host Firewall	Network Allow
70022 : Connection_Closed-Abnormally	Sub Rule	Connection Terminated	Network Traffic
70026 : Connection_Progress	Sub Rule	Connection Starting	Network Traffic
70019 : Connection_Discarded	Sub Rule	Connection Closed	Network Traffic
70018 : Connection_Allowed	Sub Rule	Traffic Allowed by Host Firewall	Network Allow
71257 : TCP_Segment-SYN-No-Options	Sub Rule	TCP SYN Received	Network Traffic
70021 : Connection_Closed	Sub Rule	Connection Closed	Network Traffic

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
Version	<version>	Number
vmid	<vmid>	Number
objectname	<objectname>	Text/String
severity	<severity>	Text/String/Number
spt	<sport>	Number
dst	<dip>	IP Address
request	<object>	Text/String
app	<session>	Text/String/Number
act	<command>	Text/String
msg	<object>	Text/String
deviceoutboundinterface	<sinterface>	Text/String/Number
deviceinboundinterface	<dinterface>	Text/String/Number
proto	<protnum>	Number
dpt	<dport>	Number
in	<bytesin>	Number
out	<bytesout>	Number
src	<sip>	IP Address