Hello everyone,
Today I will share with you how to query the IPv4 sessions on LogCenter.
You can learn session creation situations of the firewalls based on IPv4 packets by checking IPv4 session logs on the LogCenter.
The LogCenter supports the following modes of querying IPv4 session logs:
IPv4 PAT
You can query logs of sessions that experience the IP address conversion or port conversion and logs of sessions that do not experience the IP address conversion and port conversion.
IPv4 No-PAT
You can query logs of sessions that experience only the IP address conversion instead of port conversion.
This section describes an adaptation of the firewalls in different product forms to different log query modes.
USG6000 V100R001C10/V100R001C20/V100R001C30
Table 4-12 describes an adaptation of firewalls of USG6000 V100R001C10/V100R001C20/V100R001C30.
<?xml:namespace prefix = "v" ns = "urn:schemas-microsoft-com:vml" />
The firewalls are required to output session logs in dataflow format, so that you can view the corresponding logs in Log Analysis > Session Analysis > IPv4 Session Query on the LogCenter.
Unless otherwise specified, the operator involved in configurations indicates the system administrators of the firewalls.
Table 1-1 Adaptation of firewalls of USG6000 V100R001C10/V100R001C20/V100R001C30 to IPv4 session logs
| Query Mode | Log Type | Log Format | Output Mode | Key Configuration Points | Description |
| IPv4 PAT | Session logs | Dataflow | The logs are directly sent to the LogCenter. | lIn the system view, run the data-flow loghost command to configure the log host and set the port number to 9903. lIn the security policy rule view, run the session logging command to enable the function of recording session logs. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to nat-mode pat, configure NAT policies, and set the firewall to reference the NAT address pool. | If no NAT policy is configured, you can view only logs of sessions that do not experience the IP address conversion on the LogCenter. For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. |
| IPv4 No-PAT | Session logs | Dataflow | The logs are directly sent to the LogCenter. | lIn the system view, run the data-flow loghost command to configure the log host and set the port number to 9903. lIn the security policy rule view, run the session logging command to enable the function of recording session logs. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to nat-mode no-pat, configure NAT policies, and set the firewall to reference the NAT address pool. | For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. |
In addition, the firewalls can output IPv4 PAT and IPv4 No-PAT logs to the LogCenter in Syslog format. You can view the corresponding logs in Log Analysis > Network Security Analysis > Event Monitor and Log Analysis > Network Security Analysis > Event Query on the LogCenter. In actual deployment, do not set the firewalls to output session logs in Syslog format to avoid excessive storage space occupation or performance deterioration on the LogCenter.
USG9500 V300R001C01
The IPv4 session logs of the firewalls of USG9500 V300R001C01 include session aging logs, session creation logs, scheduled session logs, and NAT No-PAT session creation logs. Table 4-13 describes the adaptation of the firewalls.
The firewalls are required to output session logs in binary format so that you can view the corresponding logs in Log Analysis > Session Analysis > IPv4 Session Query on the LogCenter.
If the firewall outputs session aging logs, session creation logs, and scheduled session logs at the same time, the logs received by the LogCenter increase sharply and greatly consume the storage space of the LogCenter. Therefore, be careful in the actual deployment.
Unless otherwise specified, the operator involved in configurations indicates the system administrators of the firewalls.
Table 1-2 Adaptation of firewalls of USG9500 V300R001C01 to IPv4 session logs
| Query Mode | Log Type | Log Format | Output Mode | Key Configuration Points | Description |
| IPv4 PAT | Session aging logs | Binary | The logs are directly sent to the LogCenter. | lIn the system view, run the firewall log host command to configure the log host and set the port number to 9002. lIn the system view, run the firewall log source command to configure the source address and source port used for sending the session logs. lIn the system view, configure IPv4 auditing policies. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to PAT, configure NAT policies, and set the firewall to reference the NAT address pool. | If no NAT policy is configured, you can view only logs of sessions that do not experience the IP address conversion on the LogCenter. For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. |
| Session creation logs | Binary | The logs are directly sent to the LogCenter. | lIn the system view, run the firewall log host command to configure the log host and set the port number to 9002. lIn the system view, run the firewall log source command to configure the source address and source port used for sending the session logs. lIn the system view, configure IPv4 auditing policies. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to PAT, configure NAT policies, and set the firewall to reference the NAT address pool. lIn the system view, run the firewall log session new-session enable command to enable the function of generating session creation logs. | If no NAT policy is configured, you can view only logs of sessions that do not experience the IP address conversion on the LogCenter. For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. | |
| Scheduled session logs | Binary | The logs are directly sent to the LogCenter. | lIn the system view, run the firewall log host command to configure the log host and set the port number to 9002. lIn the system view, run the firewall log source command to configure the source address and source port used for sending the session logs. lIn the system view, configure IPv4 auditing policies. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to PAT, configure NAT policies, and set the firewall to reference the NAT address pool. lIn the system view, run the firewall log session periodic enable command to enable the function of generating session creation logs. Run the firewall log session periodic time-interval command to configure the interval for sending logs. | If no NAT policy is configured, you can view only logs of sessions that do not experience the IP address conversion on the LogCenter. For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. | |
| IPv4 No-PAT | Logs generated when the dynamic server-map of the NAT No-PAT sessions is created Logs generated when the dynamic server-map of the NAT No-PAT sessions is aged | Binary | The logs are directly sent to the LogCenter. | lIn the system view, run the firewall log host command to configure the log host and set the port number to 9002. lIn the system view, run the firewall log source command to configure the source address and source port used for sending the session logs. lIn the system view, configure IPv4 auditing policies. lIn the system view, configure the NAT address pool, set the mode of the NAT address pool to No-PAT, configure NAT policies, and set the firewall to reference the NAT address pool. lIn the system view, run the firewall log nat-nopat enable command to enable the function of sending No-PAT session logs. | For details about configuration instances, see 7.2.1 Checking IPv4 Session Logs on the LogCenter. |
In addition, the firewalls can output the IPv4 PAT session logs, including the session aging logs, session creation logs, and scheduled session logs, to the LogCenter in netflow or syslog format. When the firewalls output the logs in netflow format, you can view the logs in Log Analysis > Session Analysis > Netflow Session Query > Netflow IPv4 on the LogCenter; when the firewalls output the logs in syslog format, you can view the logs in Log Analysis > Network Security Analysis > Event Monitor or Log Analysis > Network Security Analysis > Event Query on the LogCenter. In actual deployment, do not set the firewalls to output session logs in syslog format to avoid excessive storage space occupation or performance deterioration on the LogCenter.
That is all I want to share with you! Thank you!
