Traffic Logs

Traffic logs provide visibility into traffic signatures, bandwidth usage, and how the configured security and bandwidth policies have been applied.

Context

The FW is deployed between the Internet and the network to be protected. Sessions are generated when traffic passes through the FW. The sessions age after a certain period, and the FW records traffic logs.

Before querying traffic logs, you have run the log type traffic enable command to enable the recording of traffic logs.

To minimize the quantity of logs in a fine-grained manner, you can use the traffic logging enable command to enable traffic logging for a security policy and the default traffic logging enable command to enable traffic logging for the default security policy. You can also configure the function on the web UI by choosing Policy > Security Policy > Security Policy and clicking Record Traffic Logs.

Procedure

Choose Monitor > Logs > Traffic Logs.
Choose Customize and select/deselect conditions for traffic log display.
Optional: Click to export traffic logs in CSV format to the management PC.
Click Add Filter and enter search criteria to search for traffic logs.
If the device has no disk, click Advanced Search to filter logs.
Optional: You can click to save the current log query conditions as a log query template for future use.
The next time you want to use these query conditions, you only need to click to select the template name and click OK. Then the system queries logs based on the template conditions. The device administrator can click Template Distribution to view the number of templates created by each user. In addition, you can click to delete a log query template.

Only the user that creates a log query template can view or use this template.

Each log page supports a maximum of 10 log query templates, and a device supports a maximum of 1000 log query templates.

Log Sample

The following figure shows the traffic logs generated within a specific time range:

The following table lists the fields in a traffic log.

Field	Description
View	Click . In View Traffic Log Details, the details of each field in a traffic log are displayed. In View Traffic Log Details, click the Source Address/Destination Address/Source User/Application/Security Policy/Traffic Policy field value. You can view and operate the existing field settings.
Time	Time when a traffic log is generated
Source Zone	Source security zone of traffic
Destination Zone	Destination security zone of traffic
Source Region	Source region of the traffic
Destination Region	Destination region of the traffic
Source Address	Source IP address of traffic
Source User	User who generates traffic
Destination Address	Destination IP address of traffic
Source Port	Source port of traffic
Destination Port	Destination port of traffic
Application	Application type of traffic
Protocol	Protocol type of traffic
Security Policy	Security policy that traffic matches
Traffic Policy	Traffic policy that traffic matches
Total Traffic	Traffic volume
Inbound Interface	Inbound interface of traffic
Outbound Interface	Outbound interface of traffic
Session Close Reason	Session termination cause, which falls into the following types: policy-deny: indicates that packets are discarded by a security policy. default-policy-deny: indicates that packets are discarded by default packet filtering. session miss: indicates that packets are discarded due to a failure in matching sessions. Generally, TCP non-SYN packets enter the device and no session is found on the device. As a result, packet loss occurs. block: Packets are blocked. Generally, the IPS detects an attack and sets the session to the block state. As a result, packets matching the session are blocked. tcp-rst: Sessions age after the FW receives RST packets. This indicates that the TCP terminates abnormally and the device closes the session after receiving the reset packet. tcp-fin: Sessions age after the FW receives FIN packets. That is, the TCP terminates normally and the device closes the session after receiving a FIN packet. aged-out: A session has a certain aging time. If the peer end does not send any packet after the aging time, the session is closed.
Virtual System	Virtual system that generates the traffic

During the traffic log analysis, you can click Advanced Query and enter a value into Total Traffic to query the logs of traffic that exceeds the value. Based on the displayed logs, you can take measures as follows if necessary.

**Table 1** Traffic log field settings
Field	Setting
Source Address/Destination Address	Click the Source Address/Destination Address field value of a specific traffic log. Add Blacklist Entry is displayed. The parameters in Add Blacklist Entry are as follows: Type: The source/destination address is automatically blacklisted. Source IP/Destination IP: The source/destination IP address is automatically blacklisted. Protocol: The protocol type is automatically blacklisted. Source Port/Destination Port: The source/destination port is automatically blacklisted. Timeout: You can use either of the following methods to set a timeout period for a blacklist entry: Select Unlimited to permanently blacklist the source/destination address. Enter a timeout period.
Source Region/Destination Region	Click the Source Region/Destination Region, access the Edit page, and change the region configuration as required. For details.
Source User	Click the Source User field value of a specific traffic log. Modify User is displayed. For details on how to modify user configurations.
Application	Click the Application field value of a specific traffic log. Application Details is displayed. You can view application details and configure port mappings. For details on how to configure port mappings.
Security Policy	Click the Security Policy field value of a specific traffic log. Modify Security Policy is displayed. You can change the settings of the source address, destination address, user, application, time range, action, and security profile. For details on how to change the settings.
Traffic Policy	Click the Traffic Policy field value of a specific traffic log. Modify Traffic Policy is displayed. You can change the settings of the source address, destination address, user, application, time range, and action. For details on how to change the settings.