1 Reply Latest reply on Jun 3, 2016 10:02 AM by pcoates

    Audit Logs not generating for specific traffic v8.3.2P07

    pcoates

      Just checking here before raising a support case, I'm dealing with an issue with audit logs not being generated for specific traffic passing the firewall.

       

      Here's the scenario:

      version 8.3.2P07

       

      UDP rule to allow Netflow traffic UDP port 2055. Originally there was a rule using the built in NetFlow application with many ports, but it's been duplicated to just a UDP port 2055 rule for testing as the other rule wasn't logging audits either.

       

      The traffic passes successfully. Doing a TCP dump on both sides of the transaction (From one zone to the other) shows that the traffic passes (MAC on the destination TCP Dump is that of the firewall int). No NAT is being performed on the rule. Audit is standard and have tested with verbose. No other rule allows the traffic because when this rule is disabled the traffic is blocked and does show up in the audit logs (Netprobe)

       

      Other types of traffic for the same source and destinations appear to log fine (allowed ICMP, SNMP). One other test had unusual results, SSH is not allowed and blocked between the two hosts, however no netprobe or deny entry was seen in the logs, however when we created a rule to allow it the allowed traffic did show up in the audit log.

       

      Tested as both packet filter and proxy, no difference in audit log. Utilized the Audit viewer in the GUI and the showaudit command on the CLI for testing.

       

      Thanks

        • 1. Re: Audit Logs not generating for specific traffic v8.3.2P07
          pcoates

          It looks like it may be related to the introduction of Session tracking in 8.3.2 (Session Begin, Session End) in the audit logs. With the persistent nature of netflow it appears to be a continuous session, since with UDP it has to guess on a start and end since it's stateless.

           

          EDIT:

           

          Verified, applied custom App Def Group with low or 0 UDP Idle timeout and logs generate consistently.