Additional data when logging outbound firewall rules


#1

Some outbound firewall rules are based on a domain name rather than an IP address. In this case, the data that is logged has only the IP address, not the domain name. My new feature request is to add the domain name to the data that is logged. Or, better still, add the name of the outbound firewall rule to the data that is logged. Thank you.

Sample log entry for an outbound firewall rule:

Denied CONN=lan SRC=192.168.32.191 DST=4.179.242.233 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=30480 DF PROTO=TCP SPT=64805 DPT=443 WINDOW=8192 RES=0x00 SYN URGP=0 MARK=0x3


#2

Hi Michael,

Just to check the initiated connection is base on HTTP/HTTPS ?
We recommend to use content blocking to block HTTP/HTTPS request. You can have URL logging for Web Blocking.


Sample logs:

Access:
Jul 19 10:13:12 mfa-379f URL Logging: URL=http://www.porn.com/ SRC=172.16.200.12 DST=127.0.0.1 SNATIP=172.16.200.12 SRCMAC=38:aa:3c:73:14:5f SPT=42509 DPT=8080

Blocked:
Jul 19 10:13:12 mfa-379f URL Logging: Domain <www.porn.com> has been blocked by content filter category <porn>

Access:
Jul 19 10:13:24 mfa-379f URL Logging: URL=http://www.playboy.com/ SRC=172.16.200.12 DST=127.0.0.1 SNATIP=172.16.200.12 SRCMAC=38:aa:3c:73:14:5f SPT=42827 DPT=8080

Blocked:
Jul 19 10:13:24 mfa-379f URL Logging: Domain <www.playboy.com> has been blocked by content filter category <porn>

Thank You


#3

Thank you sitloongs.

The issue I have with the content blocking feature is that it is limited to HTTP and HTTPS. In contrast, my understanding is that an outgoing firewall rule blocks all access to a domain name.

I’m not familiar with setting up a syslog server, will look into whether my NAS supports it…