Verification and Check

This section describes the verification and check operations after the audit feature is configured.

Verification

After configuring the audit feature, you can do as follows to check the configuration result:

Check the audit profile.

Choose Object > Audit Configuration, click the name of the audit profile to be checked, and verify that the parameter settings in the profile are correct.
Check the audit policy.

Choose Policy > Audit Policy, click the name of the audit policy to be checked, and verify that the audit profile is properly referenced.

Viewing Logs

If traffic to be audited pass through the FW and matches the audit policy, the FW generates an audit log. The audit administrator can log in to the FW and view audit logs.

Choose Monitor > Log > Audit Log to view audit logs. The following table describes the meanings of each field.

Field	Description
View	Click . In View Audit Log Details, the details on each field in an audit log are displayed. In View Audit Log Details, click the Audit Policy/Profile/Audit Content field value. You can view and operate field values.
Time	Time when an audit log is generated
Type	Audit log types: FTP HTTP Email IM Bank Reminder Of Debts
Source Zone	Source security zone of traffic
Destination Zone	Destination security zone of traffic
Source Region	Source region of the traffic
Destination Region	Destination region of the traffic
Source Address	Source IP address of traffic
Destination Address	Destination IP address of traffic
Source User	User who generates traffic
Source Port/Destination Port	Source/Destination port of traffic
Protocol	Protocol type of traffic
Application	Application type of traffic
Audit Policy	Audit policy that traffic matches
Profile	Audit profile that traffic matches
Audit Behavior	User behaviors. The audit behaviors of different types are as follows: FTP FTP Command Execution File Transfer Through FTP HTTP Web Browsing Microblog Posting BBS Posting File Transfer Through HTTP Search Keyword Abnormal Access Email Sending Mail Receiving Mail IM Login Logout IM File Transfer Bank Reminder Of Debts Treat Overdue Login Add Remark Query Account Query Treat Query Billing
Audit Content	User behavior that is being audited
Virtual System	Virtual system that generates the traffic

In the audit log analysis process, you can click Advanced Search and select Audit Behavior to query the logs of different user behaviors. If audit logs show behaviors that may lead to information leaks or non-work-related behaviors during working hours, you can modify the corresponding audit policy and audit profiles.

Field	Setting
Audit Policy	Click the Audit Policy field value of a specific audit log. In Modify Audit Policy, you can change the settings of the source address, destination address, user, application, time range, action, and audit profile. For details on how to change the settings, see Configuring an Audit Policy.
Profile	Click the Profile field value of a specific audit log. Modify Audit Profile is displayed. You can reconfigure the audit or other profiles. For example: If users frequently access non-work-related websites during working hours, you can modify the URL filtering profile to blacklist these websites. If users post confidential information and non-work-related information on BBS or microblogs, modify the data filtering profile. Add keywords about the confidential information to the keyword group of data filtering rules and set the action for the rules to block. If users download large-sized videos through HTTP or FTP, modify the application behavior control profile. Set a threshold size for files that can be downloaded. Downloading of files larger than this size will be blocked. For operation details, see Security Policy.

Field

Setting

Audit Policy

Click the Audit Policy field value of a specific audit log. In Modify Audit Policy, you can change the settings of the source address, destination address, user, application, time range, action, and audit profile. For details on how to change the settings, see Configuring an Audit Policy.

Profile

Click the Profile field value of a specific audit log. Modify Audit Profile is displayed. You can reconfigure the audit or other profiles. For example:

If users frequently access non-work-related websites during working hours, you can modify the URL filtering profile to blacklist these websites.
If users post confidential information and non-work-related information on BBS or microblogs, modify the data filtering profile. Add keywords about the confidential information to the keyword group of data filtering rules and set the action for the rules to block.
If users download large-sized videos through HTTP or FTP, modify the application behavior control profile. Set a threshold size for files that can be downloaded. Downloading of files larger than this size will be blocked.

For operation details, see Security Policy.