Scribd
Upload
288 views4 pages

Cyberoam Network Traffic Logging Guide

The document describes the network traffic log capabilities of the Cyberoam appliance. It provides details on the types of logs recorded, including firewall rule logs, invalid traffic logs, and dropped packet logs. It also lists the data fields captured for each log entry and describes what is considered invalid traffic and invalid fragmented traffic. The logs are sent to a syslog server and contain details like source/destination IP, protocol, packets/bytes, and firewall rule IDs to help analyze network activity and security issues.

Uploaded by

Ibrahim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
288 views4 pages

Cyberoam Network Traffic Logging Guide

The document describes the network traffic log capabilities of the Cyberoam appliance. It provides details on the types of logs recorded, including firewall rule logs, invalid traffic logs, and dropped packet logs. It also lists the data fields captured for each log entry and describes what is considered invalid traffic and invalid fragmented traffic. The logs are sent to a syslog server and contain details like source/destination IP, protocol, packets/bytes, and firewall rule IDs to help analyze network activity and security issues.

Uploaded by

Ibrahim
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Network Traffic Log

Network Traffic Log


Cyberoam provides extensive logging capabilities for traffic, system, and network protection functions. Detailed log
information and reports provide historical as well as current analysis of network activity to help identify security
issues and reduce network misuse and abuse.
Cyberoam provides following logs:
DoS Attack Log
Invalid Traffic Log
Firewall Rule Log
Local ACL Log
Dropped ICMP Redirected Packet Log
Dropped Source Routed Packet Log
Cyberoam sends Network traffic log to the syslog server. Check your syslog server to view logs.
By default, only the firewall rule logging will be ON i.e. only traffic allowed/denied by the firewall will be logged.
SR.
No.
1.

DATA FIELDS

TYPE

DESCRIPTION

Date

date

Date (yyyy-mm-dd) when the event occurred


For the allowed traffic - the date on which connection was
started on Cyberoam

2.

Time

time

For the dropped traffic - the date when the packet was dropped
by Cyberoam
Time (hh:mm:ss) when the event occurred
For the allowed traffic - the tome when the connection was
started on Cyberoam

3.
4.
5.

Device Name
Device Id
Log Id

String
String
string

For the dropped traffic - the time when the packet was dropped
by Cyberoam
Model Number of the Cyberoam Appliance
Unique Identifier of the Cyberoam Appliance
Unique 7 characters code (c1c2c3c4c5c6c7) e.g. 0101011,
0102011
c1c2 represents Log Type e.g. 01
c3c4 represents Log Component e.g. Firewall, local ACL
c5c6 represents Log Sub Type e.g. allow, violation

4.

Log Type

string

c7 represents Priority e.g. 1


Section of the system where event occurred e.g. Traffic for
traffic logging.
Possible values:
01 Traffic - Entire traffic intended for Cyberoam

Network Traffic Log

SR.
No.
5.

DATA FIELDS

TYPE

DESCRIPTION

Log Component

string

Component responsible for logging


Possible values:
01 - Firewall rule
Event due to any traffic allowed or dropped based on the
firewall rule created
02 - Local ACL
Event due to any traffic allowed or dropped based on the local
ACL configuration or all other traffic intended for the firewall
03 - DoS Attack
Event due to any packets dropped based on the dos attack
settings i.e. dopped tcp, udp and icmp packets.
04 - Invalid traffic
Event due to any traffic dropped which does not follow the
protocol standards, invalid fragmented traffic and traffic whose
packets Cyberoam is not able to relate to any connection.
Refer to Invalid traffic list for more details.
05 - Invalid Fragmented traffic
Event when any invalid fragmented traffic is dropped. Refer to
Invalid Fragmented traffic list for more details.
06 - ICMP redirect
Event due to any ICMP Redirected packets dropped based on
the DoS attack setting

07 - Source routed packet


Event due to any source routed packets dropped based on the
DoS attack setting

6.

Log Sub Type

string

08 Fragmented traffic
Event when any fragmented traffic is dropped due to Advanced
Firewall settings. Refer to Console Guide Page no. 59 for more
details.
Decision taken on traffic
Possible values:
01 Allowed
Traffic permitted to and through Cyberoam based on the
firewall rule settings

7.
8.

9.
10.
11.

Status
Priority

Duration
Firewall Rule ID
User

string
string

02 Violation
Traffic dropped based on the firewall rule settings, local ACL
settings, DOS settings or due to invalid traffic.
Ultimate state of traffic (accept/deny)
Severity level of traffic

integer
integer
string

Possible values:
01 Notice
Durability of traffic
Firewall rule id of traffic
User Id

Network Traffic Log

SR.
No.
12.
13.
14.

15.

16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.

28.

DATA FIELDS

TYPE

DESCRIPTION

User Group
IAP
In Interface

string
integer
string

Group Id of user
Internet Access policy Id applied for traffic
Interface for incoming traffic e.g. eth0

string

Blank for outgoing traffic


Interface for outgoing traffic e.g. eth1

string
string
integer
integer
integer
integer
integer
integer
integer

Blank for incoming traffic


Source IP address of traffic
Destination IP address of traffic
Protocol number of traffic
Source Port of TCP and UDP traffic
Destination Port of TCP and UDP traffic
ICMP type of ICMP traffic
ICMP code of ICMP traffic
Total number of packets sent
Total number of packets received

Out Interface

Source IP
Destination IP
Protocol
Source Port
Destination Port
ICMP Type
ICMP Code
Sent Packets
Received
Packets
Sent Bytes
Received Bytes
Translated
Source IP

Translated
Source Port

integer
integer
integer

integer

Total number of bytes sent


Total number of bytes received
Translated Source IP address if Cyberoam is deployed as
Gateway
"N/A" - if Cyberoam is deployed as Bridge
Translated Source port if Cyberoam is deployed as Gateway

29.

Translated
Destination IP

integer

"N/A" - if Cyberoam is deployed as Bridge


Translated Destination IP address if Cyberoam is deployed
as Gateway

30.

Translated
Destination Port

integer

"N/A" - if Cyberoam is deployed as Bridge


Translated Destination port if Cyberoam is deployed as
Gateway
"N/A" - if Cyberoam is deployed as Bridge

Invalid traffic
Cyberoam will define following traffic as Invalid traffic:
Short IP Packet
IP Packets with bad IP checksum
IP Packets with invalid header and/or data length
Truncated/malformed IP packet
Packets of Ftp-bounce Attack
Short ICMP packet
ICMP packets with bad ICMP checksum
ICMP packets with wrong ICMP type/code
Short UDP packet
Truncated/malformed UDP packet

Network Traffic Log


UDP Packets with bad UDP checksum
Short TCP packet
Truncated/malformed TCP packet
TCP Packets with bad TCP checksum
TCP Packets with invalid flag combination
Cyberoam TCP connection subsystem not able to relate TCP Packets to any connection
If Strict Internet Access Policy is applied then Cyberoam will define following traffic also as Invalid traffic:
UDP Packets with Destination Port 0
TCP Packets with Source Port and/or Destination Port 0
Land Attack
Winnuke Attack
TCP Syn Packets contains Data
IP Packet with Protocol Number 0
IP Packet with TTL Value 0
Invalid Fragmented traffic
Cyberoam will define following traffic as Invalid Fragmented traffic:
Fragment Queue out of memory while reassembling IP fragments
Fragment Queue Timeout while reassembling IP fragments
Fragment too far ahead while reassembling IP fragments
Oversized IP Packet while reassembling IP fragments
Fragmentation failure while creating fragments

Document version: 9305-1.0-26/03/2007

You might also like