Syslog about Firewall and Content Security Management

In this article, we list some of the firewall logs from Vigor Router and describe how to read them.

Filter Rule

DrayTek [FILTER][Block][LAN/RT/VPN->WAN, 0:10:22 ][@S:R=2:2, 192.168.1.11->8.8.8.8][ICMP][HLen=20, TLen=60, Type=8, Code=0]

[Filter] means it's related to a Filter rule. 
[Block] means the packet was discarded. 
@S:R=2:2 means the action was taken by Filter Set#2, Rule# 2. 
[ICMP] is the service type. 
192.168.1.11->8.8.8.8 means the packet is from 192.168.1.11 to 8.8.8.8.

APP Enforcement

DrayTek [CSM_AE][Block][FTP][@S:R=13:1, 111.251.207.21:34730->192.168.29.14:50337][TCP][HLen=20, TLen=1061, Flag=AP, Seq=3406493667, Ack=527650905, Win=2904]

[CSM_AE] means it's related to APP Enforcement of CSM.
[FTP] is the APP selected in the APPE profile.
@S:R=13:1 means the action was taken by the APPE profile selected in filter set#13, rule#1 which is default rule of the firewall.

URL Content Filter

DrayTek [CSM_UF][Block][Type=KW(G:O=0:1)][@S:R=2:3, 192.168.1.11:50345->http://tw.yahoo.com/:80][HTTP][HLen=20, TLen=1465, Flag=AP, Seq=2495239783, Ack=1500601792, Win=260]

[CSM_UF] means it's related to a URL Content Filter of CSM
[Type=KW(G:O=0:1)] means it doesn't match any Keyword Group but matches Keyword Object#1.
192.168.1.11:50345->http://tw.yahoo.com/:80 means the packet is from 192.168.1.11 to http://tw.yahoo.com

Web Content Filter

DrayTek [CSM_WF][Block][Service_Provider=CYREN][Category=News][@S:R=2:3, 192.168.1.11:50426->http://www.bbc.co.uk:80/news][HTTP][HLen=20, TLen=1492, Flag=A, Seq=1965422587, Ack=29701415, Win=65340]

[CSM_WF] means it's related to a Web Content Filter of CSM
[Category=News] means the packet matches the category News. 

DNS Filter

DrayTek [CSM_DNSF][Block][Type=KW(G:O=0:1)][@S:R=2:3, 192.168.1.10:49316->http://www.facebook.com:53][DNS][HLen=20, TLen=62]

[CSM_DNSF] means it's related to DNS Filter of CSM
[DNS] means the packet is DNS query.

IP Filter Rule

Logs that begin with “IPF” are IP Filter Rule logs. For example:

[IPF-pass-rule_11] PASS src ip 192.168.239.11 mac 60:a4:4c:05:ab:9c dst ip 5.96.88.133 proto tcp DPT=443, skbmark=10000000/0, c

Where “pass” is the name of IP Filter Group, and “rule_11” is the name of IP Filter Rule. The above log means the router passed the connection from IP 192.168.239.11 to IP 5.96.88.133 on TCP port 443 because of Firewall IP Filter Group “pass” Rule “rule_11”.

Application Filter

Logs that begin with “[CSM] APPF” are Application Filter logs. For example:

[CSM] APPF Block MISC-HTTP Proxy connection, Local user 192.168.239.11

Where “MISC-HTTP Proxy” is the HTTP Proxy option in APP Object. The above log means the router blocked the connection from IP 192.168.239.11 because detecting HTTP Proxy events.

URL Filter

Logs that contains “[URLF]” and a keyword are URL Content Filter logs. For example:

[CSM] Blocking [www.catho.com.br/favicon.ico] by keyword [catho], Local user 192.168.239.11 [URLF-catho] BLOCK src ip 192.168.239.11 mac 60:a4:4c:05:ab:9c dst ip 186.234.214.60 proto tcp DPT=80, skbmark=0/0, ctmark=0/0

Where [URLF-catho] means the URL/Web Content Filter Profile named “catho”. The above log means the router blocks the connection from IP 192.168.239.11 to IP 16.234.214.60 according to URL Filter profile “catho”.

WCF Filter

Logs that contain “[URLF]” and a category are Web Content Filter logs, where “Black List Blocking” means block by Web Category Policy Action is “Block”, “White List Blocking” means Action is “Accept.” For example:

[CSM][URLF-Geral] Black List Blocking 192.168.0.94 -> www.catho.com.br that is categorized with [Job_search] commtouch_server_resolver: [WCF] Set WCF query server to ctwsd1.ctmail.com !

[URLF-Geral] means the URL/Web Category Filter profile named “Geral” The above log means the connection from IP 192.168.0.94 to www.catho.com.br has been blocked by URLF-General profile because it is categorized with [Job_search].

WCF Query Timeout

When we see “[WCF] WCF query server timeout,” it means Vigor Router fails to get responses from the WCF server. For example:

commtouch_server_resolver: [WCF] WCF query server timeout

When seeing such logs, we may:

  1. Check if the firewall in front of Vigor Router blocks the query packet.
  2. Try to connect to a different WCF query server. (the feature is supported since firmware version 1.3.0)
Default Policy logs

Logs begin with [FILTER] are related to Default Policy, for example:

[FILTER] BLOCK src ip 192.168.0.94 mac 00:1b:fc:f8:11:40 dst ip 8.8.8.8 proto icmp DPT=,skbmark=0/0, ctmark=0/0

The above log means Firewall Default Policy has blocked the ICMP connection from IP 192.168.0.94 to IP 8.8.8.8.

Published On: 2017-04-18 

Was this helpful?