Microsoft Forefront TMG 2010 - Firewall Log Fields
|
Bit number
|
Field name (log
viewer)
|
Field name (W3C
format)
|
Description
|
|
0
|
Server Name
|
computer
|
The name of the
Forefront TMG computer assigned in the operating system settings.
|
|
1
|
Log Date
|
date
|
The date on which
the logged event occurred. In the SQL Server and SQL Server Express formats,
both the date and the local time are included in the single logTime field.
|
|
2
|
Log Time
|
time
|
The time when the
logged event occurred. In the W3C extended file format this time is in
Coordinated Universal Time (UTC). In all other formats, this is the local
time. In the SQL Server and SQL Server Express formats both the date and the
time are included in the single logTime field.
|
|
3
|
Transport
|
IP Protocol
|
The transport
protocol used for the connection. Common values are TCP and UDP.
|
|
4
|
Client IP and Port
|
source
|
The IP address of
the requesting client and the source port used. In SQL Server and SQL Server
Express formats, there are separate SourceIP and SourcePort fields to allow
individual querying. For ICMP packets, the port field indicates the ICMP
type.
|
|
5
|
Destination IP and
Port
|
destination
|
The network IP
address and the port number on the target computer that provides service to
the current connection. The port number is used by the client application
initiating the request. In SQL Server and SQL Server Express formats, there
are separate DestinationIP and DestinationPort fields to allow individual
querying. For ICMP packets, the port field indicates the ICMP code.
|
|
6
|
Original Client IP
|
original client IP
|
The original IP
address of the requesting client.
|
|
7
|
Source Network
|
source network
|
The network from
which the request originated.
|
|
8
|
Destination
Network
|
destination
network
|
The network to
which the request was sent.
|
|
9
|
Action
|
action
|
The action
performed by the firewall for the current session or connection. The possible
values are defined in the FpcAction enumerated type.
|
|
10
|
Result Code
|
status
|
A Windows error
code or a Forefront TMG error code in HRESULT format.
|
|
11
|
Rule
|
rule
|
The rule that
either allowed or denied access to the request, as follows:
If an outgoing
request was allowed, this field reflects the access rule that allowed the
request. If the request was denied, this field reflects the access rule that
blocked the request.
If an incoming
request was allowed, this field reflects the Web publishing server or
publishing rule that allowed the request. If the request was denied, this
field reflects the Web publishing server or publishing rule that denied the
request.
If the incoming or
outgoing request was denied for a reason other than policy rules, (for
example due to an intrusion attempt or exceeding a flood resiliency
threshold) the field is empty and the Result Code field indicates the reason.
|
|
12
|
Protocol
|
application
protocol
|
The name of the
application protocol used for the connection as defined in the collection of
protocol definitions.
|
|
13
|
Bidirectional
|
bidirectional
|
A value from the
FpcBidirection enumerated type that indicates whether the connection was
bidirectional.
|
|
14
|
Bytes Sent
|
bytes sent
|
The total number
of bytes sent from the client to the destination host during the current
connection. A hyphen (-) or a zero (0) in this field indicates that this
information was not provided by the destination host or that no bytes were
sent to the destination host.
|
|
15
|
Bytes Sent Delta
|
bytes sent
intermediate
|
The number of
bytes sent from the client to the destination host since the previous log
entry for the current connection. A hyphen (-) or a zero (0) in this field
indicates that this information was not provided by the destination host or
that no bytes were sent to the destination host.
|
|
16
|
Bytes Received
|
bytes received
|
The total number
of bytes sent from the remote computer and received by the client during the
current connection. A hyphen (-) or a zero (0) in this field indicates that
this information was not provided by the remote computer or that no bytes
were received from the remote computer.
|
|
17
|
Bytes Received
Delta
|
bytes received
intermediate
|
The number of
bytes sent from the remote computer and received by the client since the
previous log entry for the current connection. A hyphen (-) or a zero (0) in
this field indicates that this information was not provided by the remote
computer or that no bytes were received from the remote computer.
|
|
18
|
Processing Time
|
connection time
|
The total time, in
milliseconds, that was needed by Forefront TMG to process the current
connection. It measures the time elapsed from the time when the Forefront TMG
computer first received the request to the time when final processing
occurred on the Forefront TMG computer—when results were returned to the
client and the connection was closed.
|
|
19
|
Processing Time
Delta
|
connection time
intermediate
|
The time, in
milliseconds, that has elapsed since the previous log entry for the current
connection.
|
|
20
|
Destination Host
Name
|
destination name
|
The domain name
for the remote computer that provides service to the current connection.
|
|
21
|
Client Username
|
username
|
The account of the
user making the request. A question mark (?) next to the user name indicates
that the user name was sent but the user was not authenticated by Forefront
TMG. If Forefront TMG access control is not being used, Forefront TMG uses
Anonymous.
|
|
22
|
Client Agent
|
agent
|
For clients with
Forefront TMG Client software installed, this is the name of the application
that made the network request. This field is not applicable to SecureNAT
client sessions.
|
|
23
|
Session ID
|
session ID
|
An identifier that
identifies a session's connections. For Forefront TMG clients, each process
that connects through the Microsoft Firewall service initiates a session. For
SecureNAT clients, a single session is opened for all the connections that
originate from the same IP address.
|
|
24
|
Connection ID
|
connection ID
|
An identifier that
identifies entries belonging to the same connection. Outbound TCP usually has
two entries for each connection: when the connection is established and when
the connection is terminated. UDP usually has two entries for each remote
address.
|
|
25
|
Network Interface
|
interface
|
The network
adapter with which the connection was established on the Forefront TMG
computer.
|
|
26
|
Raw IP Header
|
IP header
|
The IP header of
the current packet. Information is supplied to this field only for packets
that are denied passage and are dropped by Forefront TMG.
|
|
27
|
Raw Payload
|
protocol payload
|
The protocol
header of the current packet. Information is supplied to this field only for
packets that are denied passage and are dropped by Forefront TMG.
|
|
28
|
GMT Log Time
|
GMT Time
|
The GMT time that
corresponds to the local time in the logTime field.
|
|
29
|
NIS Scan Result
|
NIS scan result
|
The result when
NIS scans the traffic or connection (inspected/detected/blocked).
|
|
30
|
NIS Signature
|
NIS signature
|
The NIS signature
detected or based on which the traffic was blocked.
|
|
31
|
NAT Address
|
NAT Address
|
Public IP address
used as a source IP for outbound traffic.
|
|
32
|
Forefront TMG
Client FDQN
|
fwc-client-fqdn
|
Gets the FQDN of
the client computer for a Forefront TMG Client connection.
|
|
33
|
Forefront TMG
Client Application Path
|
fwc-app-path
|
Gets the full path
of the client application for a Forefront TMG Client connection.
|
|
34
|
Firewall Client
Application SHA1 Hash
|
fwc-app-sha1-hash
|
Gets the SHA1 hash
value that is calculated for the executable file of the client application
and used by Forefront TMG Client to request a network connection.
|
|
35
|
Forefront TMG
Client Application trust state
|
fwc-app-trust-state
|
Gets a value from
the FpcFwcClientApplicationTrustState enumerated type that indicates whether
the client application is trusted by the operating system running on the
client computer.
|
|
36
|
Forefront TMG
Client Application Internal Name
|
fwc-app-internal-name
|
Forefront TMG
Client Application Internal Name.
|
|
37
|
Forefront TMG
Client Application Product Name
|
fwc-app-product-name
|
Gets the product
name of the client application.
|
|
38
|
Forefront TMG
Client Application Product Version
|
fwc-app-product-version
|
Gets the product
version of the client application.
|
|
39
|
Forefront TMG
Client Application File Version
|
fwc-app-file-vrsion
|
Gets the file
version of the client application.
|
|
40
|
Forefront TMG
Client Application Original File Name
|
fwc-app-original-file-name
|
The original name
of the client application.
|
|
41
|
Internal Service
Info Log Fields
|
internal-service-info
|
Internal
|
|
42
|
NIS Application
Protocol
|
NIS application
protocol
|
The application
protocol in which NIS detected the signature.
|
|
43
|
Forefront TMG
Client Version
|
fwc-version
|
The version number
of the Forefront TMG Clients
|
Brak komentarzy:
Prześlij komentarz