Policy Matching Logs
Policy matching logs record the security policies that traffic matches. Policy matching logs help you locate faults.
Context
The FW deployed between an intranet and the Internet generates logs when traffic matches any security policy.
Before viewing policy match logs, ensure that you have configured the security policy function on the FW.
Before querying policy matching logs, you have run the log type policy enable command on the FW to enable the recording of policy matching logs.
Before querying policy matching logs, run the policy logging command on the FW to enable the function of recording policy matching logs.
Procedure
- Choose to view policy matching logs.
- Choose Customize and select/deselect conditions for the display of policy matching logs.
- Optional: Click
to export policy matching logs in CSV format to the management PC. - Click Add Filter and select search conditions to filter logs.
If the device has no disk, click Advanced Search to filter logs.
- Optional: You can click
to save the current log query conditions as a log query template for future use.The next time you want to use these query conditions, you only need to click
to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click 
to delete a log query template. Only the user that creates a log query template can view or use this template.
Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.
Log Sample
The following figure shows the policy matching logs generated within a specific time range:
The following table lists the fields in a Policy matching log.
Field |
Description |
|---|---|
Time |
Time when a policy matching log is generated |
Source Zone |
Source security zone of traffic |
Destination Zone |
Destination security zone of traffic |
Source Region |
Source region of the traffic |
Destination Region |
Destination region of the traffic |
Source Address |
Source IP address of traffic |
Source User |
User who generates traffic |
Destination Address |
Destination IP address of traffic |
Source Port/Destination Port |
Source/Destination port of traffic |
Protocol |
Protocol type of traffic |
Application |
Application type of traffic |
Action |
Action defined in the security policy that traffic matches |
Security policy |
Security policy that traffic matches |
Virtual System |
Virtual system that generates the traffic |
During the analysis of policy matching logs, you can click Advanced Search, enter the name of the security name in Security Policy to display the action of the policy and take the following measures if necessary.
Field |
Setting |
|---|---|
Source Address/Destination Address |
Click the Source Address/Destination Address field value of a specific policy matching log. Add Blacklist Entry is displayed. The parameters in Add Blacklist Entry are as follows:
|
Source Region/Destination Region |
Click the Source Region/Destination Region field of a policy matching log, access Edit Region, and change the region configuration as required. |
Application |
Click the Application field value of a specific policy matching log. Application Details is displayed. You can view the details on the application and configure port mappings. For details on how to configure port mappings. |
Source User |
Click the Source User field value of a specific policy matching log. Modify User is displayed. You can modify user configurations. For details on how to modify user configurations . |
Security Policy |
Click the Security Policy field value of a specific policy matching log. Modify Security Policy is displayed. You can change the settings of the source address, destination address, user, application, time range, action, and security profile. For details on how to change the settings. |