If logging is enabled for firewall rules, you can look at the firewall packet logs to troubleshoot issues.
The log file is /var/log/dfwpktlogs.log for both ESXi and KVM hosts.
Variable | Possible Values |
---|---|
Filter hash | A number that can be used to get the filter name and other information. |
AF Value | INET, INET6 |
Reason |
|
Action |
|
Rule set and rule ID | rule set/rule ID |
Direction | IN, OUT |
Packet length | length |
Protocol | TCP, UDP, ICMP, or PROTO (protocol number) For TCP connections, the actual reason that a connection is terminated is indicated after the keyword TCP. If TERM is the reason for a TCP session, then an extra explanation appears in the PROTO row. The possible reasons for terminating a TCP connection include: RST (TCP RST packet), FIN (TCP FIN packet), and TIMEOUT (idle for too long) In the example above, it is RST. So it means that there is a RST packet in the connection that must be reset. For non-TCP connections (UDP, ICMP or other protocols), the reason for terminating a connection is only TIMEOUT. |
Source IP address and port | IP address/port |
Destination IP address and port | IP address/port |
TCP flags | S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET) |
Number of packets | Number of packets. 22/14 - in packets / out packets |
Number of bytes | Number of bytes. 7684/1070 - in bytes/ out bytes |
2018-07-03T19:44:09.749Z b6507827 INET match PASS mainrs/1024 IN 52 TCP 192.168.4.3/49627->192.168.4.4/49153 SEW 2018-07-03T19:46:02.338Z 7396c504 INET match DROP mainrs/1024 OUT 52 TCP 192.168.4.3/49676->192.168.4.4/135 SEW 2018-07-06T18:15:49.647Z 028cd586 INET match DROP mainrs/1027 IN 36 PROTO 2 0.0.0.0->224.0.0.1 2018-07-06T18:19:54.764Z 028cd586 INET6 match DROP mainrs/1027 OUT 143 UDP fe80:0:0:0:68c2:8472:2364:9be/546->ff02:0:0:0:0:0:1:2/547The elements of a DFW log file format include the following, separated by a space:
- timestamp:
- last eight digits of the VIF ID of the interface
- INET type (v4 or v6)
- reason (match)
- action (PASS, DROP, REJECT)
- rule set name/ rule ID
- packet direction (IN/OUT)
- packet size
- protocol (TCP, UDP, or PROTO #)
- SVM direction for netx rule hit
- source IP address/source port>destination IP address/destination port
- TCP flags (SEW)
2018-07-03T19:44:30.585Z 7396c504 INET TERM mainrs/1024 OUT TCP RST 192.168.4.3/49627->192.168.4.4/49153 20/16 1718/76308
- timestamp:
- last 8 digits of the VIF ID of the interface
- INET type (v4 or v6)
- action (TERM)
- ruleset name/ rule ID
- packet direction (IN/OUT)
- protocol (TCP, UDP, or PROTO #)
- TCP RST flag
- SVM direction for netx rule hit
- source IP address/source port>destination IP address/destination port
- IN packet count/OUT packet count (all accumulated)
- IN packet size/OUT packet size
2019-01-15T00:34:45.903Z 7c607b29 INET match PASS 1031 OUT 48 TCP 10.172.178.226/32808->23.72.199.234/80 S www.sway.com(034fe78d-5857-0680-81e4-d8da6b28d1b4)
- timestamp:
- last eight digits of the VIF ID of the interface
- INET type (v4 or v6)
- reason (match)
- action (PASS, DROP, REJECT)
- ruleset name/ rule ID
- packet direction (IN/OUT)
- packet size
- protocol (TCP, UDP, or PROTO #) - for TCP connections, the actual reason that a connection is terminated is indicated after the following IP address
- source IP address/source port>destination IP address/destination port
- TCP flags - S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET
- domain name/UUID where UUID is the binary internal representation of the domain name
2019-01-15T00:35:07.221Z 82f365ae INET match REJECT 1034 OUT 48 TCP 10.172.179.6/49818->23.214.173.202/80 S APP_HTTP 2019-01-15T00:34:46.486Z 7c607b29 INET match PASS 1030 OUT 48 UDP 10.172.178.226/42035->10.172.40.1/53 APP_DNS
- timestamp:
- last eight digits of the VIF ID of the interface
- INET type (v4 or v6)
- reason (match)
- action (PASS, DROP, REJECT)
- ruleset name/ rule ID
- packet direction (IN/OUT)
- packet size
- protocol (TCP, UDP, or PROTO #) - for TCP connections, the actual reason that a connection is terminated is indicated after the following IP address
- source IP address/source port>destination IP address/destination port
- TCP flags - S (SYN), SA (SYN-ACK), A (ACK), P (PUSH), U (URGENT), F (FIN), R (RESET
- APP_XXX is the discovered application