Session Logs

The FW can output session information in different formats to log hosts.

The FW supports session information output. The session log triggering conditions are as follows:

After processing a packet, the FW sets up a session for it.
After the FW has the session log function enabled in a security policy, sessions that match the deny or permit action of the security policy are logged.
When the size of log packets reaches 1400 bytes or 1 second is due, the FW sends the logs to the log server.

The FW supports many types of session logs, and the functions of these session logs are different.

**Table 1** Session log type and function
Log Type	Description
IPv4 session logs, including general IPv4 session, the PAT and No-PAT modes session logs	session logs can help you better understand the session creation of various services in the network. If the source NAT function is configured on the firewall, the session log also records the IP address before the NAT, which can implement NAT source tracing.
General IPv6 session logs
IPv4 NAT No-PAT session logs (server-map logs)	You can better understand the establishment and aging conditions of the dynamic server-map by viewing the NAT No-PAT session logs.
IPv6 DS-Lite session logs	You can better understand the running status of the DS-Lite function and the DS-Lite session creation by viewing IPv6 DS-Lite session logs.
IPv6 NAT64 session logs	You can better understand the running status of the NAT64 function and the NAT64 session creation by viewing IPv6 NAT64 session logs.
IM session logs	You can better understand the online and offline conditions of the instant messaging software including QQ by viewing the IM session logs.
URL session logs	When the URL session log is created on the firewall, the log recording session information is output.
Half-open session logs	When the half-open session log is created on the firewall, the log recording session information is output.

For IPv4 and IPv6 session logs, the FW can also send session information to the log server after session aging or session creation, or periodically.

Session aging log: When a session on the FW ages, the log recording session information is output.
Session aging logs are sent only when FW sessions are aged. This helps filter out failed sessions with the numbers of sent and received packets being 0. By default, the function of outputting session aging logs is enabled, helping you comprehensively understand the session start and end time, and packet sending and receiving information.
Session creation log: When a session is created on the FW, the log recording session information is output. Session creation logs are sent as long as the FW has sessions created, regardless of whether traffic is properly transmitted.
Session creation logs do not have session disconnection time or packet sending/receiving information. In common cases, enabling only session aging logs is enough. If you are concerned about session creation on the FW but not about subsequent traffic transmission, you can enable the session creation log function. If you enable both the session creation log and session aging log functions, the number of logs received by the log server may surge, consuming storage space. Exercise caution in actual deployment.
Periodic session log: The FW outputs the log recording session information regularly based on a certain time interval. For example, the session aging time of certain persistent connection services is long. You can periodically output session logs to understand packet sending and receiving information in a timely manner.
The large number of session logs may compromise log server performance. Exercise caution when you enable this function.

Various types of logs support different log formats and sending paths. The details are as follows.

**Table 2** Session log format and output mode
Log Type	Triggering Condition	Log Format	Log Output Mode
IPv4 session logs, including general IPv4 session, the PAT and No-PAT modes session logs	Session aging	Binary Netflow Syslog	Logs in binary and netflow formats can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.
	Session creation	Binary Netflow Syslog
	Periodic session	Binary Netflow Syslog
General IPv6 session logs	Session aging	Binary Syslog	Binary logs can be directly sent to the eLog. Syslogs can be sent to a third-party log server.
General IPv6 session logs	Session creation	Binary Syslog
IPv4 NAT No-PAT session logs (server-map logs)	The FW outputs session information in binary format to a log host when NAT No-PAT is performed. Strictly speaking, these logs are not the NAT No-PAT session logs, and they record information about the dynamic server-map table established by the NAT No-PAT session. When the server-map is established, the firewall outputs these logs. When the server-map ages, the firewall outputs these logs. The contents of these logs are simple, including the mapping between IP addresses but not port information.	Binary	The logs are directly sent to the eLog.
IPv6 DS-Lite session logs	Session aging	Binary	The logs are directly sent to the eLog.
IPv6 DS-Lite session logs	Session creation	Binary	The logs are directly sent to the eLog.
IPv6 NAT64 session logs	Session aging	Binary Netflow Syslog	Logs in binary and netflow formats can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.
IPv6 NAT64 session logs	Session creation	Binary Netflow Syslog	Logs in binary and netflow formats can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.
IM session logs	When the FW parses out IM software QQ and WeChat online/offline packets, the FW sends IM logs to the log server.	Binary Syslog	Logs in binary format can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.
URL session logs	When a user accesses a URL through the FW, the FW extracts the URL information from the HTTP interaction packet. After the complete URL is obtained, the FW immediately outputs a log recording the current session information.	Binary Syslog	Logs in binary format can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.
Half-open session logs	When the half-open session log is created on the FW, the log recording session information is output.	Binary Netflow Syslog	Logs in binary and netflow formats can be directly sent to the eLog, and only one format of logs can be output at a time. Syslogs can be sent to a third-party log server.