LSO FortiGate - Traffic: Forward (2)
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type and values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means no value is parsed for a specified log field.
Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
date | N/A | N/A |
time | N/A | N/A |
devname | <subject> | N/A |
logid | <vmid> | <vmid> |
type | <parentprocessname> | <vendorinfo> |
subtype | <parentprocessid> | N/A |
level | <severity> | <severity> |
vd | N/A | <sessiontype> |
eventtime | N/A | N/A |
srcip | <sip> | <sip> |
srcport | <sport> | <sport> |
srcintf | <sinterface> | <sinterface> |
srcintfrole | N/A | N/A |
dstip | <dip> | <dip> |
dstname | <url> | N/A |
dstport | <dport> | <dport> |
dstintf | <dinterface> | <dinterface> |
dstinetsvc | <object> | N/A |
dstintfrole | N/A | N/A |
srcuuid | N/A | N/A |
dstuuid | N/A | N/A |
poluuid | N/A | N/A |
sessionid | <session> | <session> |
proto | <protnum> | <protnum> |
action | <action> | <action> |
policyid | <policy> | <policy> |
policytype | <process> | N/A |
service | N/A | <protname> |
user | <login> | <login> |
group | <group> | N/A |
dstcountry | N/A | N/A |
srccountry | N/A | N/A |
trandisp | N/A | N/A |
tranip | <dnatip> | N/A |
transip | <snatip> | <snatip> |
transport | N/A | <snatport> |
appid | <processid> | <object> |
app | <object> | <objectname> |
appcat | <objectname> | <objecttype> |
apprisk | <severity> | <threatname> |
applist | N/A | N/A |
appact | <status> | N/A |
url | N/A | N/A |
duration | <seconds> | <seconds> |
sentbyte | <bytesout> | <bytesout> |
rcvdbyte | <bytesin> | <bytesin> |
sentpkt | <packetsout> | <packetsout> |
rcvdpkt | <packetsin> | <packetsin> |
utmaction | <result> | <status> |
countapp | N/A | <quantity> |
osname | N/A | N/A |
mastersrcmac | N/A | N/A |
srcmac | N/A | <smac> |
srcserver | N/A | N/A |
utmref | N/A | N/A |
dstmac | <dmac> | <dmac> |
devtype | <objecttype> | N/A |
srcfamily | <sessiontype> | N/A |
unauthuser | <login> | N/A |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1010521 | Traffic: Forward | Base Rule | Network Traffic | Network Traffic |
Sniffer Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Forwarded Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Forwarded Traffic Timeout | Sub Rule | User Session Timeout | Information | |
Forwarded Traffic Close | Sub Rule | Connection Closed | Network Traffic | |
Forwarded Traffic Accept - Reset | Sub Rule | Connection Reset | Network Traffic | |
Local Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Forwarded Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
Forward Traffic Deny | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
ICMP Traffic Allow | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Invalid Traffic | Sub Rule | Connection Failed | Network Traffic | |
Malware Activity Blocked | Sub Rule | Failed Botnet Activity | Failed Malware | |
Forwarded Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Forwarded Traffic Start | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Local Traffic Accepted | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Forwarded Traffic | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Forwarded Traffic Session Closed | Sub Rule | Connection Closed | Network Traffic | |
Forwarded Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Local Traffic Accept | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
Local Traffic Timeout | Sub Rule | Session Disconnected | Other Audit Success | |
Network/Traffic Allowed Messages | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
LOG_ID_TRAFFIC_END_FORWARD | Sub Rule | IP Forwarding Events | Network Traffic | |
LOG_ID_TRAFFIC_START_FORWARD | Sub Rule | Session Connected | Network Traffic | |
LOG_ID_TRAFFIC_ALLOW | Sub Rule | TCP Traffic Allowed | Network Traffic | |
LOG_ID_TRAFFIC_DENY | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
LOG_ID_TRAFFIC_OTHER_START | Sub Rule | General Traffic Allowed | Network Traffic | |
LOG_ID_TRAFFIC_OTHER_ICMP_ALLOW | Sub Rule | Permitted ICMP Traffic | Network Traffic | |
LOG_ID_TRAFFIC_OTHER_ICMP_DENY | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
LOG_ID_TRAFFIC_WANOPT | Sub Rule | WAN Optimization Traffic | Network Traffic | |
LOG_ID_TRAFFIC_WEBCACHE | Sub Rule | Web Cache Traffic | Network Traffic | |
LOG_ID_TRAFFIC_EXPLICIT_PROXY | Sub Rule | Traffic Allowed by Proxy | Network Allow | |
LOG_ID_TRAFFIC_FAIL_CONN | Sub Rule | Connection Failed | Network Traffic | |
LOG_ID_TRAFFIC_STAT | Sub Rule | Statistics Collector Message | Information | |
LOG_ID_TRAFFIC_UTM_CORRELATION | Sub Rule | General Traffic Allowed | Network Traffic |
LogRhythm Default v2.0
Regex ID | Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|---|
1013575 | V 2.0: Traffic: Forward: VMID13 | Base Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0: 13_Traffic Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: 13_Traffic Session Timeout | Sub Rule | Session Timeout | Warning | |
V 2.0: 13_Local Traffic Session Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: 13_Traffic Session Started | Sub Rule | Network Session Created | Network Traffic | |
V 2.0: 13_Traffic Session Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny | |
V 2.0: 13_Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: 13_Forward Traffic Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow | |
V 2.0: 13_Traffic Reset | Sub Rule | Connection Reset | Network Traffic | |
V 2.0: 13_Forward Traffic Client-rst | Sub Rule | Connection Reset | Network Traffic | |
V 2.0: 13_Forward Traffic Servert-rst | Sub Rule | Connection Reset | Network Traffic |