V 2.0 : URL Filtering Events
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| V 2.0: URL Filtering Events | Base Rule | General Network Traffic | Network Traffic |
| V 2.0: URL Filtering: Accept | Sub Rule | Traffic Allowed by Proxy | Network Allow |
| V 2.0: URL Filtering: Allow | Sub Rule | Traffic Allowed by Proxy | Network Allow |
| V 2.0: URL Filtering: Reject | Sub Rule | Traffic Denied by Proxy | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| virtuallogsource | N/A | N/A | N/A |
| subproduct | N/A | N/A | Can be VPN or non-VPN |
| Product | <vmid> | Text/String | Product name |
| Originip | N/A | N/A | IP of the log origin |
| origin | N/A | N/A | Name of the first Security Gateway that reported this event |
| Action | <action> <tag1> | Text/String | N/A |
| SIP | <sip> | IP Address | Source IP |
| SPort | <sport> | Number | Source host port number |
| DIP | <dip> | IP Address | Destination IP |
| dport | <dport> | Number | Destination host port number |
| protocol | <protnum> | Number | Protocol detected on the connection |
| ifname | <sinterface> | Text/String | The name of the Security Gateway interface through which a connection traverses |
| ifdirection | N/A | N/A | N/A |
| Reason | <reason> | Text/String | Information on the error occurred |
| Rule | N/A | N/A | Matched rule number |
| PolicyName | N/A | N/A | N/A |
| Info | N/A | N/A | Rule information on the blocked diameter CMD |
| XlateSIP | <snatip> | IP Address | Source ipv4 after applying NAT |
| XlateSport | <snatport> | Number | Source port after applying hide NAT on source IP |
| XlateDIP | <dnatip> | IP Address | Destination ipv4 after applying NAT |
| XlateDPort | <dnatport> | Number | Destination port after applying NAT |
| rule_uid | N/A | N/A | Access policy rule ID which the connection was matched on |
| Url | N/A | N/A | Matched URL |
| User | N/A | N/A | Source user name |
| matched_category | N/A | N/A | Name of matched category |
| app_rule_name | N/A | N/A | Rule name |
| web_client_type | N/A | N/A | Web client detected in the HTTP request (e.g., Chrome) |
| web_server_type | N/A | N/A | Web server detected in the HTTP response |
| app_risk | <severity> | Number | Application risk Possible values: 0 - Unknown 1 - Very Low 2 - Low 3 - Medium 4 - High 5 - Critical |
| appi_name | <process> | Text/String | Application name |
| app_desc | N/A | N/A | Application description |
| app_id | N/A | N/A | Application ID |
| app_category | N/A | N/A | N/A |
| app_properties | <subject> | Text/String | Application categories |
| src_machine_name | <sname> | Text/String | Machine name connected to source IP |
| src_user_name | <login> | Text/String | User name connected to source IP |
| proxy_src_ip | N/A | N/A | Sender source IP (even when using proxy) |
| received_bytes | <bytesout> | Number | Number of bytes received during connection |
| sent_bytes | <bytesin> | Number | Number of bytes sent during the connection |
| portal_message | N/A | N/A | N/A |
| time | N/A | N/A | The time stamp when the log was created |
| alert | N/A | N/A | Alert level of matched rule (for connection logs) |
| flags | N/A | N/A | Checkpoint internal field |
| loguid | N/A | N/A | UUID of unified logs |
| sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
| version | N/A | N/A | N/A |
| __policy_id_tag | <policy> | Text/String | Check Point internal field |
| app_rule_id | N/A | N/A | Rule number |
| app_sig_id | N/A | N/A | The signature ID by which the application was detected |
| origin_sic_name | N/A | N/A | Machine SIC |
| ticket_id | N/A | N/A | Unique ID per file |
| usercheck_incident_uid | N/A | N/A | UserCheck incident ID |
| duration | <seconds> | Number | N/A |
| resource | <url> | Text/String/Number | Resource from the HTTP request |