All the traffic that passes through Cloud Firewall is recorded as logs and displayed on the Log Audit page. The logs are classified into traffic logs, event logs, and operation logs. You can use the logs to audit all traffic in real time and take specific measures on suspicious traffic. Cloud Firewall retains the logs for seven days.

Cloud Firewall also provides the log analysis feature, which allows you to set Log Storage Period to a value that ranges from 30 to 365. If your business must meet classified protection requirements, we recommend that you enable the log analysis feature. For more information about the billing of the log analysis feature, see Billing.

Event logs

The Event Logs tab displays the logs of events on both the Internet firewall and Virtual Private Cloud (VPC) firewalls. On the Event Logs tab, you can click the Internet Firewall or VPC Firewall tab to view the information about event logs. The information includes the time an event was detected, threat type, source IP address, destination IP address, application type, severity, and policy action.

Event Logs
On the Event Logs tab, you can specify the source IP address, destination IP address, type, policy action, or custom time range to search for event logs.
Note The custom time range must be within the last seven days.

Traffic logs

The Traffic Logs tab displays the logs of traffic on both the Internet firewall and VPC firewalls. On the Traffic Logs tab, you can click the Internet Firewall or VPC Firewall tab to view the information about traffic logs. The information includes the start time and end time of traffic, source IP address, destination IP address, application type, source port, application, protocol, policy action, number of bytes, and number of packets.

Traffic Logs
On the right of search conditions, click List Configuration. In the List Configuration dialog box, select the columns that you want to add to the log list and click OK. You can select up to eight columns. List Configuration
On the Traffic Logs tab, you can specify the source IP address, destination IP address, application, or custom time range to search for traffic logs.
Note The custom time range must be within the last seven days.
To search for traffic logs more precisely, click Show Advanced Search on the right of search conditions and specify search conditions, such as direction, policy source, port, and region.
Note If traffic hits an access control policy or intrusion prevention system (IPS) policy, the name of the policy is displayed in the Policy Name column of the traffic log entry. If traffic does not hit a policy, a hyphen (-) is displayed in the Policy Name column.

Operation logs

The Operation Logs tab displays the time, type, severity, and other details about each operation performed on Cloud Firewall. Operation Logs
On the Operation Logs tab, you can specify Severity, Log Content, or a custom time range to search for operation logs.
Note The custom time range must be within the last seven days.