CLI: Example for Outputting Customized Netflow Session Logs to a Third-Party Log Host
This section provides an example for outputting customized netflow session logs to a third-party log host through the CLI.
Networking Requirements
As shown in Figure 1, the FW is deployed on the network border. The network environment is as follows:
- The intranet is the Trust zone, while the Internet is the Untrust zone. Users on the intranet access the Internet using the NAT function provided by the FW.
- A third-party log server is deployed in the DMZ.
The FW is required to send session information generated when intranet users access the Internet to the third-party log server in the customized netflow IPv4 format. The administrator can view and analyze session information on the third-party log server.
Configuration Roadmap
This example provides only the FW configuration. For the third-party log server configuration, see the third-party log server product document.
The system time must be set correctly during the initial configuration. Changing the system time during device running will result in incorrect timestamps in historical logs. The time zone of the log server must be the same as that of the FW.
- Set the IP addresses for interfaces and add the interfaces to security zones.
- Configure security policies.
- Configure a NAT policy.
- Configure routes.
- Configure log hosts.
- Enable the session log function in a security policy.
- Customize the netflow format.
Procedure
- Set the IP addresses for interfaces and add the interfaces to security zones.
# Configure an IP address for GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 192.168.0.1 24 [FW-GigabitEthernet 0/0/1] quit
# Configure an IP address for GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ip address 172.16.0.1 24 [FW-GigabitEthernet 0/0/2] quit
# Configure an IP address for GigabitEthernet 0/0/3.
[FW] interface GigabitEthernet 0/0/3 [FW-GigabitEthernet 0/0/3] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/3] quit
# Add GigabitEthernet 0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Add GigabitEthernet 0/0/2 to the DMZ.
[FW] firewall zone dmz [FW-zone-dmz] add interface GigabitEthernet 0/0/2 [FW-zone-dmz] quit
# Add GigabitEthernet 0/0/3 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/3 [FW-zone-untrust] quit
- Configure security policies.
# Configure a Trust-Untrust interzone security policy and enable the session log function. The session log function takes effect only when the policy action is set to permit.
[FW] security-policy [FW-policy-security] rule name trust_untrust [FW-policy-security-rule-trust_untrust] source-zone trust [FW-policy-security-rule-trust_untrust] destination-zone untrust [FW-policy-security-rule-trust_untrust] source-address 192.168.0.0 24 [FW-policy-security-rule-trust_untrust] action permit [FW-policy-security-rule-trust_untrust] session logging [FW-policy-security-rule-trust_untrust] quit
Session log packets are not subject to packet filtering. Therefore, you do not need to configure a security policy for session logs. Instead, you need to configure only the preceding security policies.
- Configure a NAT policy.
# Configure NAT address pool 1 and set the mode to PAT. In this example, the public address ranges from 1.1.1.10 to 1.1.1.1.5.
[FW] nat address-group add1 [FW-address-group-add1] mode pat [FW-address-group-add1] section 0 1.1.1.10 1.1.1.1.5 [FW-address-group-add1] route enable [FW-address-group-add1] quit
# Configure a NAT policy.
[FW] nat-policy [FW-policy-nat] rule name policy1 [FW-policy-nat-rule-policy1] source-zone trust [FW-policy-nat-rule-policy1] destination-zone untrust [FW-policy-nat-rule-policy1] source-address 192.168.0.0 24 [FW-policy-nat-rule-policy1] action source-nat address-group add1 [FW-policy-nat-rule-policy1] quit [FW-policy-nat] quit
- Configure routes.
# Configure a default route. In this example, the next hop of the FW to the Internet is 1.1.1.2.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 - Configure the log host.
[FW] firewall log host 1 172.16.0.2 9996 - The source IP address and port are configured for the FW to send session logs.
[FW] firewall log source 172.16.0.1 6666 - Set the session log output format to Netflow.
[FW] firewall log session log-type netflow - Customize the netflow session log format.
- Configure a template for session logs in netflow format and access the template view.
[FW] session-log template name1 type netflow - Customize netflow IPv4 session logs.
[FW-netflow-template-name1] template id 655 ipv4 content protocol source-ip source-port source-nat-ip source-nat-portTo customize netflow IPv6 session logs, run the following command:
[FW-netflow-template-name1] template id 655 ipv6 content protocol source-ip source-port source-nat-ip source-nat-port - Set the netflow session log content format to the template format.
[FW] firewall log session log-type netflow template name1By default, netflow session logs contain the log header, template, and flow information. To configure a netflow session log that does not contain template data, run the following command:
[FW-netflow-template-name1] template id 655 ipv6 content protocol source-ip source-port source-nat-ip source-nat-port After this command is run, the netflow session log does not contain template data. Whether the template data is required shall be negotiated with the third-party log host.
- Configure a template for session logs in netflow format and access the template view.
- Configure the third-party log host and view logs on the host.
Configuration Scripts
The following script uses the netflow IPv4 session log as an example.
# sysname FW # firewall log host 1 172.16.0.2 9996 firewall log source 172.16.0.1 6666 firewall log session log-type netflow # nat address-group add1 mode pat route enable section 0 1.1.1.10 1.1.1.1.5 # interface GigabitEthernet 0/0/1 undo shutdown ip address 192.168.0.1 255.255.255.0 # interface GigabitEthernet 0/0/2 undo shutdown ip address 172.16.0.1 255.255.255.0 # interface GigabitEthernet 0/0/3 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/2 # security-policy rule name trust_untrust session logging source-zone trust destination-zone untrust source-address 192.168.0.0 24 action permit # nat-policy rule name policy1 source-zone trust destination-zone untrust source-address 192.168.0.0 24 action source-nat address-group add1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # session-log template name1 type netflow template id 655 ipv4 content protocol source-ip source-port source-nat-ip source-nat-port firewall log session log-type netflow template name1 # return