< Home

Verification and Check

This section describes the verification and check operations after the audit feature is configured.

Verification

After configuring the audit feature, you can do as follows to check the configuration result.

Operation

Command

View the audit profile.

display profile type audit [ name name [ protocol { brd | ftp | http | im | mail } ] ]

View the audit policy rules.

display audit-policy rule { all | name rule-name } [ slot slot-id cpu cpu-id ]

View the configuration of HTTP status code audit.

display audit status-code configuration

After configuring the audit feature, you can do as follows to view or clear statistics:

Operation

Command

View audit statistics.

display audit statistics [ slot slot-id cpu cpu-id ]

View statistics on audit policy rule matching times.

reset audit-policy counter { all | rule rule-name }

Clear audit statistics.

reset audit statistics [ slot slot-id cpu cpu-id ]

View the statistics of HTTP status code audit.

display audit status-code statistics

Reset the statistics of HTTP status code audit.

reset audit status-code statistics

Viewing Logs

If traffic to be audited pass through the FW and matches the audit policy, the FW generates an audit log. The audit administrator can log in to the FW and view audit logs. The following figure shows an audit log for FTP traffic.

AUDIT/6/FTP(l):The FTP audit policy was matched. (SyslogId=3875934209, VSys="public", AuditPolicy="policy_audit",
 SrcIp=192.168.0.2, DstIp=192.168.1.2, SrcPort=65255, DstPort=21, SrcZone=trust, DstZone=untrust, User="user01",
 Protocol=TCP, Application="FTP", Profile="profile_audit", AuditType="User Executing a Command", EventNum=1,
 Direction=upload, Command="USER 123", FileName="", FileSize=0, Action=allow)

The following table describes the meanings of each field.

The following uses an FTP audit log as an example. In addition to FTP audit logs, the FW supports HTTP, IM, mail, and band reminder audit logs. For details, see AUDIT.

Field

Description

SyslogId

Log ID

VSys

Virtual system name

AuditPolicy

Name of an audit policy

SrcIp

Source IP address of the packet

DstIp

Destination IP address of the packet

SrcPort

Source port of the packet

DstPort

Destination port of the packet

SrcZone

Source security zone of the packet

DstZone

Destination security zone of the packet

User

User name

Protocol

Protocol name

Application

Application name

Profile

Profile name

AuditType

Audit type, which can be:

  • Command execution
  • FTP-based file transfer

EventNum

Number of merged audit events

Direction

File transfer direction: upload or download

Command

FTP-executed command

FileName

Name of the audit file

FileSize

Size of the audit file

Action

Response action, which can be allow and block

In the audit log analysis process, if audit logs show behaviors that may lead to information leaks or non-work-related behaviors during working hours, you can modify the corresponding audit policy and audit profiles.

  • If users frequently access non-work-related websites during working hours, you can modify the URL filtering profile to blacklist these websites.
  • If users post confidential information and non-work-related information on BBS or microblogs, modify the data filtering profile. Add keywords about the confidential information to the keyword group of data filtering rules and set the action for the rules to block.
  • If users download large-sized videos through HTTP or FTP, modify the application behavior control profile. Set a threshold size for files that can be downloaded. Downloading of files larger than this size will be blocked.

For operation details, see Security Policy.

Parent Topic: Configuring Audit Using the CLI
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic