V 2.0 : VPN-1 & Firewall-1 Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : VPN-1 & FireWall-1 Events | Base Rule | General Network Traffic | Network Traffic |
V 2.0 : Firewall Message Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 : Firewall Message Rejected | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 : Firewall Message Accepted | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 : Firewall Message Blocked | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 : Firewall Message Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
virtuallogsource | N/A | N/A | N/A |
Subproduct | N/A | N/A | Can be VPN or non-VPN |
Product | <vmid> | Text/String | Product name |
Originip | N/A | N/A | IP of the log origin |
origin | N/A | N/A | Name of the first Security Gateway that reported this event |
Action | <action> <tag1> | Text/String | Action of matched rule Possible values: Drop Reject Accept Encrypt Decrypt Authorize Deauthorize Bypass Block Detect Do not send Allow Ask User Extract |
SIP | <sip> | IP Address | Source IP |
SPort | <sport> | Number | Source host port number |
DIP | <dip> | IP Address | Destination IP |
dport | <dport> | Number | Destination port |
protocol | <protnum> | Number | Protocol detected on the connection |
ifname | <sinterface> | Text/String | The name of the Security Gateway interface through which a connection traverses |
ifdirection | N/A | N/A | Connection direction |
Reason | <reason> | Text/String | Information on the error occurred |
Rule | N/A | N/A | Matched rule number |
Info | N/A | N/A | Rule information on the blocked diameter CMD |
XlateSIP | <snatip> | IP Address | Source ipv4 after applying NAT |
XlateSport | <snatport> | Number | Source port after applying hide NAT on source IP |
XlateDIP | <dnatip> | IP Address | Destination ipv4 after applying NAT |
XlateDPort | <dnatport> | Number | Destination port after applying NAT |
User | <login> | Text/String | Source user name |
alert | N/A | N/A | Alert level of matched rule (for connection logs) |
sys_msgs | N/A | N/A | N/A |
sys_message | N/A | N/A | N/A |
rule_uid | N/A | N/A | Access policy rule ID on which the connection was matched |
icmp_code | N/A | N/A | In case a connection is ICMP, the ICMP code info will be added to the log |
icmp_type | N/A | N/A | In case a connection is ICMP, the type info will be added to the log |
matched_category | N/A | N/A | Name of matched category |
rule_name | <command> | Text/String | Access rule name |
OriginZone | N/A | N/A | Indicates whether the source zone is internal or external |
ImpactedZone | N/A | N/A | Indicates whether the destination zone is internal or external |
PolicyManagement | N/A | N/A | Name of the Management Server that manages this Security Gateway |
PolicyName | N/A | N/A | Name of the last policy that this Security Gateway fetched |
Service | N/A | N/A | Connection destination int/service int |
State | N/A | N/A | N/A |
TCP_Flags | N/A | N/A | TCP packet flags (SYN, ACK, etc.,) |
time | N/A | N/A | The time stamp when the log was created |
flags | N/A | N/A | Check Point internal field |
loguid | N/A | N/A | UUID of unified logs |
originsicname | N/A | N/A | Machine SIC |
sequencenum | N/A | N/A | Number added to order logs with the same Linux timestamp and origin |
version | N/A | N/A | N/A |
__policy_id_tag | <policy> | Text/String | Check Point internal field |
bytes | N/A | N/A | N/A |
client_inbound_bytes | <bytesin> | Number | N/A |
client_inbound_interface | N/A | N/A | N/A |
client_inbound_packets | <packetsin> | Number | N/A |
client_outbound_bytes | <bytesout> | Number | N/A |
client_outbound_interface | N/A | N/A | N/A |
client_outbound_packets | <packetsout> | Number | N/A |