Export (0) Print
Expand All

Firewall log fields

Updated: February 1, 2011

Applies To: Forefront Threat Management Gateway (TMG)

The following table lists the fields that you can include in each of the Forefront TMG log files. Note that, in Forefront TMG log format, if a field is disabled, it will appear in the log with a hyphen (-). In World Wide Web Consortium (W3C) log file format, the field will not appear. The Bit number column refers to the position in the Forefront TMG file format.

 

Bit number Field name (log viewer) Field name (SQL Server log format and SQL Server Express log format) Field name (W3C format) Description

0

Server Name

servername

computer

The name of the Forefront TMG computer assigned in the operating system settings.

  1

Log Date

logTime

date

The date on which the logged event occurred. In the SQL Server and SQL Server Express formats, both the date and the local time are included in the single logTime field.

  2

Log Time

logTime

time

The time when the logged event occurred. In the W3C extended file format this time is in Coordinated Universal Time (UTC). In all other formats, this is the local time. In the SQL Server and SQL Server Express formats both the date and the time are included in the single logTime field.

  3

Transport

protocol

IP Protocol

The transport protocol used for the connection. Common values are TCP and UDP.

  4

Client IP and Port

SourceIP

SourcePort

source

The IP address of the requesting client and the source port used. In SQL Server and SQL Server Express formats, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP type.

  5

Destination IP and Port

DestinationIP

Destination Port

destination

The network IP address and the port number on the target computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server and SQL Server Express formats, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the port field indicates the ICMP code.

  6

Original Client IP

OriginalClientIP

original client IP

The original IP address of the requesting client.

  7

Source Network

SourceNetwork

source network

The network from which the request originated.

  8

Destination Network

DestinationNetwork

destination network

The network to which the request was sent.

  9

Action

Action

action

The action performed by the firewall for the current session or connection. The possible values are defined in the FpcAction enumerated type.

10

Result Code

Resultcode

status

A Windows error code or a Forefront TMG error code in HRESULT format.

11

Rule

Rule

rule

The rule that either allowed or denied access to the request, as follows:

If an outgoing request was allowed, this field reflects the access rule that allowed the request. If the request was denied, this field reflects the access rule that blocked the request.

If an incoming request was allowed, this field reflects the Web publishing server or publishing rule that allowed the request. If the request was denied, this field reflects the Web publishing server or publishing rule that denied the request.

If the incoming or outgoing request was denied for a reason other than policy rules, (for example due to an intrusion attempt or exceeding a flood resiliency threshold) the field is empty and the Result Code field indicates the reason.

12

Protocol

ApplicationProtocol

application protocol

The name of the application protocol used for the connection as defined in the collection of protocol definitions.

13

Bidirectional

Bidirectional

bidirectional

A value from the FpcBidirection enumerated type that indicates whether the connection was bidirectional.

14

Bytes Sent

bytessent

bytes sent

The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

15

Bytes Sent Delta

bytessentDelta

bytes sent intermediate

The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.

16

Bytes Received

bytesrecvd

bytes received

The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

17

Bytes Received Delta

bytesrecvdDelta

bytes received intermediate

The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-) or a zero (0) in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.

18

Processing Time

connectiontime

connection time

The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed.

19

Processing Time Delta

connectiontimeDelta

connection time intermediate

The time, in milliseconds, that has elapsed since the previous log entry for the current connection.

20

Destination Host Name

DestinationName

destination name

The domain name for the remote computer that provides service to the current connection.

21

Client Username

ClientUserName

username

The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.

22

Client Agent

ClientAgent

agent

For clients with Forefront TMG Client software installed, this is the name of the application that made the network request. This field is not applicable to SecureNAT client sessions.

23

Session ID

sessionid

session ID

An identifier that identifies a session's connections. For Forefront TMG clients, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address.

24

Connection ID

connectionid

connection ID

An identifier that identifies entries belonging to the same connection. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.

25

Network Interface

Interface

interface

The network adapter with which the connection was established on the Forefront TMG computer.

26

Raw IP Header

IPHeader

IP header

The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

27

Raw Payload

Payload

protocol payload

The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.

28

GMT Log Time

GmtLogTime

GMT Time

The GMT time that corresponds to the local time in the logTime field.

29

NIS Scan Result

ipsScanResult

NIS scan result

The result when NIS scans the traffic or connection (inspected/detected/blocked).

30

NIS Signature

ipsSignature

NIS signature

The NIS signature detected or based on which the traffic was blocked.

31

NAT Address

NATAddress

NAT Address

Public IP address used as a source IP for outbound traffic.

32

Forefront TMG Client FDQN

FwcClientFqdn

fwc-client-fqdn

Gets the FQDN of the client computer for a Forefront TMG Client connection.

33

Forefront TMG Client Application Path

FwcAppPath

fwc-app-path

Gets the full path of the client application for a Forefront TMG Client connection.

34

Firewall Client Application SHA1 Hash

FwcAppSHA1Hash

fwc-app-sha1-hash

Gets the SHA1 hash value that is calculated for the executable file of the client application and used by Forefront TMG Client to request a network connection.

35

Forefront TMG Client Application trust state

FwcAppTrusState

fwc-app-trust-state

Gets a value from the FpcFwcClientApplicationTrustState enumerated type that indicates whether the client application is trusted by the operating system running on the client computer.

36

Forefront TMG Client Application Internal Name

FwcAppInternalName

fwc-app-internal-name

Forefront TMG Client Application Internal Name.

37

Forefront TMG Client Application Product Name

FwcAppProductName

fwc-app-product-name

Gets the product name of the client application.

38

Forefront TMG Client Application Product Version

FwcAppProductVersion

fwc-app-product-version

Gets the product version of the client application.

39

Forefront TMG Client Application File Version

FwcAppFileVersion

fwc-app-file-vrsion

Gets the file version of the client application.

40

Forefront TMG Client Application Original File Name

FwcAppOrgFileName

fwc-app-original-file-name

The original name of the client application.

41

Internal Service Info Log Fields

InternalServiceInfo

internal-service-info

Internal

42

NIS Application Protocol

ipsApplicationProtocol

NIS application protocol

The application protocol in which NIS detected the signature.

43

Forefront TMG Client Version 

FwcVersion

fwc-version

The version number of the Forefront TMG Clients

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft