All the traffic that passes through Cloud Firewall is recorded in logs, and the logs are displayed on the Log Audit page. The logs are classified into traffic logs, event logs, and operation logs. You can use the logs to audit all traffic in real time and detect suspicious traffic.
Cloud Firewall provides the log analysis feature. This feature allows you to specify a log storage duration that ranges from 7 to 365 days. If your business needs to meet the requirements for classified protection and compliance, we recommend that you enable the log analysis feature. For more information about the billing of the log analysis feature, see Billing.
Event logs
The Event Logs tab displays the logs of events on traffic that passes through the Internet firewall and virtual private cloud (VPC) firewalls. On the Event Logs tab, you can click the Internet Border or VPC Border tab to view the information about event logs. The information includes the time when an event was detected, threat type, source IP address, destination IP address, application type, severity, and policy action.
In the upper part of the Event Logs tab, you can specify the source IP address, destination IP address, threat type, policy action, or custom time range to search for event logs.
The custom time range must be within the last seven days.
Traffic logs
The Traffic Logs tab displays the logs of traffic that passes through the Internet firewall and VPC firewalls. On the Traffic Logs tab, you can click the Internet Border or VPC Border tab to view the information about traffic logs. The information includes the start time and end time of access, source IP address, destination port, protocol, policy action, number of bytes, and number of packets.
On the Internet Border or VPC Border tab, you can click List Configuration to the right of search conditions. In the List Configuration dialog box, you can select the columns that you want to display in the log list and click OK. You can select up to eight columns.
On the Traffic Logs tab, you can select IPV4 or IPV6, and specify a source IP address, destination IP address, policy ID, application type, or custom time range to search for traffic logs.
The custom time range must be within the last seven days.
On the Internet Border or VPC Border tab, you can click Show Advanced Search to the right of the search conditions. You can specify the search conditions such as the direction, policy source, port, and region to search for logs more precisely.
If traffic hits an access control policy or protection policy, the name of the policy is displayed in the Policy Name column of the traffic log. If traffic does not hit a policy, a hyphen (-) is displayed in the Policy Name column.
Operation logs
The Operation Logs tab displays the time, type, severity, and other details about each operation performed on Cloud Firewall.
On the Operation Logs tab, you can specify a value for Severity, a value for Log Content, or a custom time range to search for operation logs.
The custom time range must be within the last six months.
Core log fields
The following table describes the fields that can be added to the traffic logs of the Internet firewall, VPC firewalls, and NAT firewalls. You can identify traffic whose application type is Unknown based on the added fields.
Field | Description |
Policy Name | The name of the access control policy or protection policy that the traffic matches. If no policy name is displayed, the traffic does not match an access control policy or protection policy. |
Pre-match Access Control Policy Status | The status of the pre-match access control policy. Valid values: Normal, Application Unidentified, and Domain Name Unidentified. |
Pre-match Access Control Policy | If you configured an access control policy and specified applications and domain names in the policy, Cloud Firewall pre-matches the source IP address, destination IP address, and port of traffic against the policy when the traffic reaches Cloud Firewall. If Cloud Firewall cannot identify only the application or the domain name of the traffic, the policy is marked as Pre-match Access Control Policy. |
Application Identification Status | The status of application identification. Valid values:
|