Cloud Firewall provides log reports based on the analysis results of the log analysis feature. The reports show statistics such as basic traffic metrics and distribution of inbound and outbound traffic. You can perform operations such as specifying a time range, subscribing to log reports, refreshing data, configuring refresh settings, and viewing data in a dashboard. The reports in a dashboard are updated based on your operations.

Prerequisites

internet_log that is displayed in the upper-right corner of the Log Analysis page is turned on. If internet_log is turned off, you cannot view log reports. Enable log analysis

Procedure

  1. Log on to the Cloud Firewall console.
  2. In the left-side navigation pane, choose Log Analysis > Log Analysis.
  3. On the Log Analysis page, click the Reports tab. In the upper-right corner of the Reports tab, click Please Select.
    Please Select
  4. In the Time panel, specify a time range to query the log reports of Internet traffic. You can specify a time range in the Relative, Time Frame, or Custom section. Time settings
    Section Description
    Relative If you specify a time range in this section, log data that is collected within the specified time range is displayed. This time range is accurate to seconds. Assume that the current point in time is 2019-10-17 23:08:00. The value 2019-10-17 23:07:00~2019-10-17 23:08:00 indicates that log data collected in the last minute is displayed.

    You can customize a time range that is accurate to days, hours, minutes, or seconds.

    Time Frame If you specify a time range in this section, log data that is collected within the specified time range is displayed. This time range is accurate to hours. Assume that the current point in time is 2019-10-17 00:00:00. The value 2019-10-10 00:00:00~2019-10-17 00:00:00 indicates that log data collected in the last week is displayed.

    You can customize a time range in days, hours, or minutes.

    Custom If you specify a time range in this section, log data that is collected within the custom time range is displayed. This time range is accurate to minutes.
    After you specify a time range, all dashboards on the Reports tab are refreshed to display traffic data collected within the time range.

    For more information about the dashboards, see Log report dashboard.

    Note The system applies the time settings only to the current tab and does not save the settings. The next time you open the Reports tab, the dashboard displays data based on the default time setting.
  5. Optional:On the Reports tab, perform operations on a widget.
    In the upper-right corner of the required widget, click the More icon icon.

    You can perform the following operations on the widget:

    • Select Time Range: You can specify a relative time range, time frame, or custom time range to allow the widget to display log data of a specific metric. For more information, see Time settings.
    • Download Log: You can select this option to save the logs as an Excel file to your computer.
    • Download Chart: You can select this option to save the widget as a PNG file to your computer.
    • Preview Query Statement: You can click the Preview Query Statement icon to view the statement that is used to query the log data of a specific metric. You can use the statement to query the log data on the Logs tab. For more information, see Log search and analysis. Query statement
  6. Optional:Subscribe to log reports. You can specify a frequency at which the system sends log report notifications by email or DingTalk chatbot.

    In the upper-right corner of the Reports tab, click Subscribe.In the Create Subscription panel, subscribe to the log reports of Internet traffic.

    1. In the Subscription Configuration step, configure the parameters.
      Parameter Description
      Subscription Name The name of the log report subscription. A default name is provided. You can change the name based on your business requirements.
      Frequency The frequency at which log report notifications are sent. Valid values:
      • Hourly: A notification is sent every hour.
      • Daily: A notification is sent each day at a specified hour between 00:00 and 23:00.
      • Weekly: A notification is sent each week on a specified day at a specific hour between 00:00 and 23:00.
      • Fixed Interval: A notification is sent at a specified interval. You can select Days or Hours.
      • Cron: Use a cron expression to customize the frequency. The time specified in a cron expression is accurate to minutes and is in the 24-hour notation. You can refer to the examples in the console to write a cron expression.
      Add Watermark The address to which the notification is sent is attached to the image as a watermark. It can be an email address or a webhook URL of the DingTalk chatbot.
    2. Click Next to specify a notification method. Notification method
      Notification method Parameter Description
      Email Recipients The email address of the recipient. You can add more than one recipient.
      Subject The subject of the email. A default subject is provided. You can change the subject based on your business requirements.
      WebHook-DingTalk Bot Request URL The webhook request URL. For more information about how to obtain the URL, see Configure DingTalk chatbot notifications.
      Title The title of the webhook. A default title is provided. You can change the title based on your business requirements.
    3. Click Submit.
    4. In the message that appears, click OK.
    After the subscription is created, you can move the pointer over Subscribe on the Reports tab to view the subscription.

    You can also click Subscribe to modify the subscription configurations and notification method or cancel the subscription.

    Modify or cancel the subscription
    Note You can create only one subscription. To create a subscription, you must cancel the existing one.
  7. Optional:In the upper-right corner of the Reports tab, click Refresh to specify the frequency at which you want to refresh log reports.
    Refresh
    Frequency Description
    Once Log reports are immediately refreshed.
    Auto Refresh Log reports are refreshed at the frequency that you specify. You can set the frequency to 15 seconds, 60 seconds, 5 minutes, or 15 minutes.

Log report dashboard

Log reports provide a global view of Internet traffic, including basic traffic metrics, inbound and outbound traffic trends, and traffic distribution. The following table describes all widgets supported by Cloud Firewall.

Widget Type Default time range Description Example
Total number of Intercepting Numeric value 1 hour (relative) The number of Internet access requests blocked by Cloud Firewall within a specified time range. 10 times
Inbound Traffic Numeric value 1 hour (relative) The volume of inbound Internet traffic within a specified time range. 10 MB
Outbound Traffic Numeric value 1 hour (relative) The volume of outbound Internet traffic within a specified time range. 10 GB
SSH Access Numeric value 1 hour (relative) The number of SSH access requests within a specified time range. 10 times
RDP Access Numeric value 1 hour (relative) The number of Remote Desktop Protocol (RDP) access requests within a specified time range. 10 times
FTP Access Numeric value 1 hour (relative) The number of FTP access requests within a specified time range. 10 times
Intercept trend Line chart 1 hour (relative) The trend for the number of times inbound traffic is blocked within a specified time range. None
Intercept Source Applications Pie chart 1 hour (relative) The top 10 applications that are sorted based on the volume of blocked inbound traffic within a specified time range. The applications include HTTP, SNMP, SIP, and SSH. None
Sources – Global World map 1 hour (relative) The geographic distribution of inbound traffic sources within a specified time range. None
Source Applications – Top 10 Pie chart 1 hour (relative) The top 10 applications that are sorted based on the volume of inbound traffic within a specified time range. The applications include HTTP and SSH. None
Source Regions – Top 10 Pie chart 1 hour (relative) The top 10 regions from which the most inbound traffic is sent within a specified time range. None
Source Ports – Top 20 Treemap chart 1 hour (relative) The top 20 ports that are accessed by inbound traffic within a specified time range. None
Intercept trend Line chart 1 hour (relative) The trend for the number of times outbound traffic is blocked within a specified time range. None
Intercept External Applications Pie chart 1 hour (relative) The top 10 applications that are sorted based on the volume of blocked outbound traffic within a specified time range. The applications include HTTP and SSH. None
External Ports – Top 20 Treemap chart 1 hour (relative) The top 20 ports that are accessed by outbound traffic within a specified time range. None
External IP Addresses – Top 10 Pie chart 1 hour (relative) The top 10 IP addresses that are requested by outbound traffic within a specified time range. None
External Domains – Top 10 Treemap chart 1 hour (relative) The top 10 domain names that are requested by outbound traffic within a specified time range. None
External Applications – Top 10 Pie chart 1 hour (relative) The top 10 applications that are sorted based on outbound traffic within a specified time range. The applications include HTTP and SSH. None