This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

What does a successful network connection from firewall mean?

VishamRawat
Beginner
Beginner

‎2018-08-14 11:40 AM

Action = Allow

Event Category Name = Network.Connections.Successful

Event Activity = Permit

Device = Firewall

Src IP = Internal IP

Dst IP = Public IP

Dst Port = PortNo.

 

In such a situation, what exactly does it mean - has the internal IP successfully connected to portno. on public IP, or has the firewall merely allowed the request/probe from the internal IP to go through unimpeded to the public IP?

 

Can such logs from the firewall tell us, that a connection was established between the 2 servers, or does it simply tell us that the internal IP's request was forwarded to the public IP, however, what happened with the request thereafter is unknown (from this particular event log).  

 

Please help clarify.

0 Likes
6 REPLIES 6

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2018-08-14 11:44 AM

What type of firewall is this?  The reason I ask is that with Cisco there are two types of messages.  A build and a teardown.  The build is the intention and the teardown is the actual result.

 

Also typically I will also look at the bytes sent and received.  0 bytes received shows me the connection was not successful

0 Likes

VishamRawat
Beginner
Beginner
In response to DaveGlover

‎2018-08-14 11:55 AM

Hi Dave,

 

It's a Palo Alto firewall.

 

I don't see any bytes received in these event logs - although the bytes (sent) certainly have value, anywhere from around 100 to 1 million bytes.

 

Here's what I get in the event logs from PA FW -

action, alert_id, analysis_session, bytes, bytes_src, category, city_dst, country_dst, country_src, device_class, device_group, device_ip, device_type, did, direction, duration_time, ec_activity, , ec_theme, esa_time, event_cat_name, event_source_id, event_time, feed_name, filter, forward_ip, header_id, inv_category, inv_context, ip_dst, ip_dstport,
ip_src, lc_cid, level, medium, msg_id, netname, org_dst, policy_name, result, rid, sessionid, size, time, vsys

 

There is however a size variable being recorded as well, which also does have a value, although I'm not sure if it's in bytes and whether it is recording the response. Also, what I've noticed from a couple of alerts - the value of size doesn't seem to vary much across the events, pretty static at around 570 - 580.

0 Likes

DaveGlover
Trusted Contributor Trusted Contributor
Trusted Contributor
In response to VishamRawat

‎2018-08-14 12:12 PM

You can not use the "size" key as that's the size of the log message.

 

In looking at some of my PA logs I see the following in my Traffic Logs:

 

May 3 14:55:45 PA-VM 1,2018/05/03 14:55:44,007251111087537,TRAFFIC,end,1,2018/05/03 14:55:44,192.168.30.11,13.57.149.247,66.140.62.11,13.57.149.247,Outbound Traffic,,,splashtop-remote,vsys1,Internal,Internet,ethernet1/2,ethernet1/1,Netwitness,2018/05/03 14:55:44,424,1,64292,443,63217,443,0x40004d,tcp,allow,13636,1535,12101,26,2018/05/03 14:54:13,61,computer-and-internet-info,0,208,0x0,192.168.0.0-192.168.255.255,United States,0,12,14,tcp-rst-from-client,0,0,0,0,,PA-VM,from-policy,,,0,,0,,N/A

 

(bytes)    Bytes= 13636

(bytes.src)Send Bytes= 1535

(rbytes)   Receive Bytes=12101

 

 

Threat,URL logs do not have byte counts

 

 

 

 

 

 

VishamRawat
Beginner
Beginner
In response to DaveGlover

‎2018-08-15 09:25 AM

Okay, I do see something similar in the raw logs.

... ,tcp,allow,99267,2660,96607, ...

 

So the Event Meta is as follows

bytes = 99267

bytes src = 2660

 

These keys I take it are not indexed, but enabled for tagging, right?

 

What I don't see in the Event Meta is the rbytes key. As you've stated above, rbytes should = 96607, which essentially means this is an established connection, correct?

 

Also, the default built-in paloaltonetworks parser is not tagging rbytes, in my case, right?

0 Likes

EricPartington
Employee
Employee

‎2018-08-15 03:10 PM

if you are asking what the log message from PaloAlto means for session connections etc, that would be a question for your PA rep/forum.  There is a listing on their site for log messages, ID messages etc with a description of what they mean.  RSA accepts those messages and tags them in the SIEM.

 

As for what that means for the firewall (accept, connect, timeout) those are PaloAlto questions.

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/use-syslog-for-monitoring/syslog-field-descriptions

0 Likes

FapRsa
New Contributor
New Contributor

‎2020-06-17 11:39 PM

Type Log
Description Network.Connections.Successful
Source
Device
IP Address 23.129.64.192
Geolocation
Organization

Emerald Onion

what does a successful network connection from firewall mean?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.