Showing results for 
Search instead for 
Did you mean: 
Level 10
Report Inappropriate Content
Message 1 of 2

Audit Logs not generating for specific traffic v8.3.2P07

Just checking here before raising a support case, I'm dealing with an issue with audit logs not being generated for specific traffic passing the firewall.

Here's the scenario:

version 8.3.2P07

UDP rule to allow Netflow traffic UDP port 2055. Originally there was a rule using the built in NetFlow application with many ports, but it's been duplicated to just a UDP port 2055 rule for testing as the other rule wasn't logging audits either.

The traffic passes successfully. Doing a TCP dump on both sides of the transaction (From one zone to the other) shows that the traffic passes (MAC on the destination TCP Dump is that of the firewall int). No NAT is being performed on the rule. Audit is standard and have tested with verbose. No other rule allows the traffic because when this rule is disabled the traffic is blocked and does show up in the audit logs (Netprobe)

Other types of traffic for the same source and destinations appear to log fine (allowed ICMP, SNMP). One other test had unusual results, SSH is not allowed and blocked between the two hosts, however no netprobe or deny entry was seen in the logs, however when we created a rule to allow it the allowed traffic did show up in the audit log.

Tested as both packet filter and proxy, no difference in audit log. Utilized the Audit viewer in the GUI and the showaudit command on the CLI for testing.


1 Reply
Level 10
Report Inappropriate Content
Message 2 of 2

Re: Audit Logs not generating for specific traffic v8.3.2P07

It looks like it may be related to the introduction of Session tracking in 8.3.2 (Session Begin, Session End) in the audit logs. With the persistent nature of netflow it appears to be a continuous session, since with UDP it has to guess on a start and end since it's stateless.


Verified, applied custom App Def Group with low or 0 UDP Idle timeout and logs generate consistently.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community