Web: Example for Outputting Customized Netflow Session Logs to a Log Host
This section provides an example for outputting customized netflow session logs to a third-party log host through the web UI.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network border. The network environment is as follows:
- The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by the FW.
- A third-party log server is deployed in the DMZ.
The FW is required to send session information generated when intranet users access the Internet to the third-party log server in the customized netflow IPv4 format. The administrator can view and analyze session information on the third-party log server.
Configuration Roadmap
This example provides only the FW configuration. For the third-party log server configuration, see the third-party log server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure security policies.
- Configure a NAT policy.
- Configure routes.
- Configure log hosts.
- Enable the session log function in a security policy.
- Customize the netflow format.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
Choose .
Click GE0/0/1 and set the following parameters.
Zone
trust
IPv4
IP Address
192.168.0.1/24
Click OK.
Repeat the preceding steps to configure GE0/0/2.
Zone
dmz
IPv4
IP Address
172.16.0.1/24
Repeat the preceding steps to configure GE0/0/3.
Zone
untrust
IPv4
IP Address
1.1.1.1/24
- Configure security policies.
- Choose .
- Click Add and configure a security policy from Trust to Untrust.
Session log packets are not controlled by packet filtering. Therefore, you do not need to configure session log security policies. You only need to configure the preceding security policies.
- Configure a NAT policy.Configure the NAT address pool and use the PAT mode (also the default mode). If the mode no-pat command is used here to specify the No-PAT mode, the FW will generate No-PAT-mode session logs. You can check the corresponding log information in on the eLog.
- Choose .
- Click the Source Translation Address Pool tab, click Add, configure the NAT address pool according to the following parameters, and click OK.
Name
addr1
IP Address Range
1.1.1.10-1.1.1.1.15
Configure the NAT policy and reference the NAT address pool.- Choose , click Add in NAT Policy List, and configure the NAT policy as follows. Click OK.
Name
policy1
NAT Type
NAT
Source Zone
trust
Destination Type
Destination Zone (untrust)
Source Address
192.168.0.0/24
Translated After
Translated Mode
IP Address in the IP Address Pool
Address Pool
addr1
- Configure routes.
# Configure a default route. In this example, the next hop of the FW to the Internet is 1.1.1.2.
Choose .
In Static Route List, click Add and configure a default route based on the following parameter values.
Protocol
IPv4
Destination Address/Mask
0.0.0.0/0.0.0.0
Next Hop
1.1.1.2
Click OK.
- Configure the log host and the source IP address and source port for sending logs.
Choose .
- Enable the session log function.
# Enable the record function for session logs in the security policy for service traffic.
Choose , click the created security policy policy1, and enable the function of recording session logs in .
- Customize the netflow session log format.
- Choose .
- Click Add to add a netflow session log template.
- Enter Name and ID, and select IPv4 or IPv6.
- Sending with Template is enabled by default. In this mode, netflow session logs contain the log header, template, and flow information. If Enable is deselected, netflow session logs do not carry template data. You need to negotiate with the third-party log host to determine whether to carry template data.
- The IPv4 and IPv6 IDs in the same template cannot be the same, and the IPv4 and IPv6 IDs in different templates can be the same.
- Select a log field to be appeared and click the arrow on the right of the field.
Log fields are listed in sequence. Those selected earlier are displayed at the beginning. You can also adjust the position of a log field or delete a log field by clicking the corresponding icon.
- Choose , set the netflow session log format to User-defined, and apply the configured netflow session log template.
- Configure the third-party log host and view logs on the host.
Configuration Scripts
# sysname FW # firewall log host 1 172.16.0.2 9996 # nat address-group add1 mode pat route enable section 0 1.1.1.10 1.1.1.1.5 # interface GigabitEthernet 0/0/1 undo shutdown ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name trust_untrust session logging source-zone trust destination-zone untrust source-address 192.168.0.0 24 action permit # nat-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 24 action source-nat address-group add1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # session-log template name1 type netflow template id 655 ipv4 content protocol source-ip source-port source-nat-ip source-nat-port firewall log session log-type netflow template name1 # return