- Access Control Policy (Syslog: ACPolicy)
-
The access control policy that monitored the connection.
- Access Control Rule (Syslog: AccessControlRuleName)
-
The access control rule or default action that handled the connection, as well as up to eight Monitor rules matched by that
connection.
If the connection matched one Monitor rule, the Firepower Management Center displays the name of the rule that handled the connection, followed by the Monitor rule name. If the connection matched more
than one Monitor rule, the number of matching Monitor rules is displayed, for example, Default Action + 2 Monitor Rules.
To display a pop-up window with a list of the first eight Monitor rules matched by the connection, click N
Monitor Rules.
- Action (Syslog: AccessControlRuleAction)
-
The action associated with the configuration that logged the connection.
For Security Intelligence-monitored connections, the action is that of the first non-Monitor access control rule triggered
by the connection, or the default action. Similarly, because traffic matching a Monitor rule is always handled by a subsequent
rule or by the default action, the action associated with a connection logged due to a Monitor rule is never Monitor. However,
you can still trigger correlation policy violations on connections that match Monitor rules.
Action
|
Description
|
Allow
|
Connections either allowed by access control explicitly, or allowed because a user bypassed an interactive block.
|
Block, Block with reset
|
Blocked connections, including:
-
tunnels and other connections blocked by the prefilter policy
-
connections blocked by Security Intelligence
-
encrypted connections blocked by an SSL policy
-
connections where an exploit was blocked by an intrusion policy
-
connections where a file (including malware) was blocked by a file policy
For connections where the system blocks an intrusion or file, system displays Block, even though you use access control Allow rules to invoke deep inspection.
|
Fastpath
|
Non-encrypted tunnels and other connections fastpathed by the prefilter policy.
|
Interactive Block, Interactive Block with reset
|
Connections logged when the system initially blocks a user’s HTTP request using an Interactive Block rule. If the user clicks
through the warning page that the system displays, additional connections logged for the session have an action of Allow.
|
Trust
|
Connections trusted by access control. The system logs trusted TCP connections differently depending on the device model.
|
Default Action
|
Connections handled by the access control policy's default action.
|
(Blank/empty)
|
The connection closed before enough packets had passed to match a rule.
This can happen only if a facility other than access control, such as intrusion prevention, causes the connection to be logged.
|
- Application Protocol (Syslog: ApplicationProtocol)
-
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The application protocol, which represents communications between hosts, detected in the connection.
- Application Protocol Category and Tag
-
Criteria that characterize the application to help you understand the application's function.
- Application Risk
-
The risk associated with the application traffic detected in the connection: Very High, High, Medium, Low, or Very Low. Each
type of application detected in the connection has an associated risk; this field displays the highest of those.
- Business Relevance
-
The business relevance associated with the application traffic detected in the connection: Very High, High, Medium, Low, or
Very Low. Each type of application detected in the connection has an associated business relevance; this field displays the
lowest (least relevant) of those.
- Client and Client Version (Syslog: Client, ClientVersion)
-
The client application and version of that client detected in the connection.
If the system cannot identify the specific client used in the connection, the field displays the word "client" appended to
the application protocol name to provide a generic name, for example, FTP client.
- Client Category and Tag
-
Criteria that characterize the application to help you understand the application's function.
- Connection Counter (Syslog Only)
-
A counter that distinguishes one connection from another simultaneous connection. This field has no significance on its own.
The
following fields collectively uniquely identify a
connection event: DeviceUUID, First Packet Time,
Connection Instance ID, and Connection
Counter.
- Connection Instance ID (Syslog Only)
-
The Snort instance that processed the connection event. This field has no significance on its own.
The
following fields collectively uniquely identify a
connection event: DeviceUUID, First Packet Time,
Connection Instance ID, and Connection
Counter.
- ConnectionDuration (Syslog Only)
-
This field exists ONLY as a syslog field; it does not exist in the Firepower Management Center web interface. (The web interface conveys this information using the First Packet and Last Packet columns.)
This field has a value only when logging occurs at the end of the connection. For a start-of-connection syslog message, this
field is not output, as it is not known at that time.
For an end-of-connection syslog message, this field indicates the number of seconds between the first packet and the last
packet, which may be zero for a short connection. For example, if the timestamp of the syslog is 12:34:56 and the ConnectionDuration
is 5, then the first packet was seen at 12:34:51.
- Connections
-
The number of connections in a connection summary. For long-running connections, that is, connections that span multiple connection
summary intervals, only the first connection summary interval is incremented. To view meaningful results for searches using
the Connections criterion, use a custom workflow that has a connection summary page.
- Count
-
The number of connections that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows. If you create a custom workflow
and do not add the Count column to a drill-down page, each connection is listed individually and packets and bytes are not summed.
- Destination Port/ICMP Code (Syslog: Separate fields - DstPort, ICMPCode)
-
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The port or ICMP code used by the session responder.
- DestinationSecurityGroup (Syslog Only)
-
This field holds the text value associated with the numeric value in DestinationSecurityGroupTag, if available. If the group name is not available as a text value, then this field contains the same integer value as the
DestinationSecurityGroupTag field.
- Destination SGT (Syslog: DestinationSecurityGroupTag)
-
The numeric Security Group Tag (SGT) attribute of the destination involved in the connection.
The Destination SGT value is obtained from ISE only, from either SXP or from a user session.
- Detection Type
-
This field shows the source of detection of a client.
- Device
-
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The managed device that detected the connection or, for connections generated from NetFlow data, the managed device that processed
the data.
- DeviceUUID
(Syslog Only)
-
The unique identifier of the device that generated an event.
The
following fields collectively uniquely identify a
connection event: DeviceUUID, First Packet Time,
Connection Instance ID, and Connection
Counter.
- DNS Query (Syslog: DNSQuery)
-
The DNS query submitted in a connection to the name server to look up a domain name.
- DNS Record Type (Syslog: DNSRecordType)
-
The type of the DNS resource record used to resolve a DNS query submitted in a connection.
- DNS Response (Syslog: DNSResponseType)
-
The DNS response returned in a connection to the name server when queried.
- DNS Sinkhole Name (Syslog: DNS_Sinkhole)
-
The name of the sinkhole server where the system redirected a connection.
- DNS TTL (Syslog: DNS_TTL)
-
The number of seconds a DNS server caches the DNS resource record.
- Domain
-
The domain of the managed device that detected the connection or, for connections generated from NetFlow data, the domain
of the managed device that processed the data. This field is only present
if you have ever configured the
Firepower Management Center
for multitenancy.
- Endpoint Location
-
The IP address of the network device that used ISE to authenticate the user, as identified by ISE.
- Endpoint Profile (Syslog: Endpoint Profile)
-
The user's endpoint device type, as identified by ISE.
- Event Priority (Syslog Only)
-
Whether or not the connection event is a high priority event. High
priority events are connection events that are associated with an intrusion, Security Intelligence, file, or malware event.
All other events are Low
priority.
- Files (Syslog: FileCount)
-
The number of files (including malware files) detected or blocked in a connection associated with one or more file events.
In the Firepower Management Center web interface, the View Files icon links to a list of files. The number on the icon indicates the number of files (including malware files) detected or blocked
in that connection.
- First Packet or Last Packet (Syslog: See the ConnectionDuration field)
-
The date and time the first or last packet of the session was seen.
- First Packet Time (Syslog Only)
-
The time the system encountered the first packet.
The
following fields collectively uniquely identify a
connection event: DeviceUUID, First Packet Time,
Connection Instance ID, and Connection
Counter.
- HTTP Referrer (Syslog: HTTPReferer)
-
The HTTP referrer, which represents the referrer of a requested URL for HTTP traffic detected in the connection (such as a
website that provided a link to, or imported a link from, another URL).
- HTTP Response Code (Syslog: HTTPResponse)
-
The HTTP status code sent in response to a client's HTTP request over a connection. It indicates the reason behind successful
and failed HTTP request.
For more details about HTTP response codes, see RFC 2616 (HTTP), Section 10.
- Ingress/Egress Interface (Syslog: IngressInterface, EgressInterface)
-
The ingress or egress interface associated with the connection. If your deployment includes an asymmetric routing configuration,
the ingress and egress interface may not belong to the same inline pair.
- Ingress/Egress Security Zone (Syslog: IngressZone, EgressZone)
-
The ingress or egress security zone associated with the connection.
For rezoned encapsulated connections, the ingress field displays the tunnel zone you assigned, instead of the original ingress
security zone. The egress field is blank.
- Initiator/Responder Bytes (Syslog: InitiatorBytes, ResponderBytes)
-
The total number of bytes transmitted by the session initiator or received by the session responder.
- Initiator/Responder Continent
-
When a routable IP is detected, the continent associated with the IP address for the session initiator or responder.
- Initiator/Responder Country
-
When a routable IP is detected, the country associated with the IP address of the session initiator or responder. The system
displays an icon of the country’s flag, and the country’s ISO 3166-1 alpha-3 country code. Hover your pointer over the flag
icon to view the country’s full name.
- Initiator/Responder IP (Syslog: SrcIP, DstIP)
-
In the Firepower Management Center web interface, these values constrain summaries and graphs.
The IP address (and host name, if DNS resolution is enabled) of the session initiator or responder.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
In the Firepower Management Center web interface, the host icon identifies the IP address that caused the connection to be blocked.
For plaintext, passthrough tunnels either blocked or fastpathed by the prefilter policy, initiator and responder IP addresses
represent the tunnel endpoints—the routed interfaces of the network devices on either side of the tunnel.
- Initiator/Responder Packets (Syslog: InitiatorPackets, ResponderPackets)
-
The total number of packets transmitted by the session initiator or received by the session responder.
- Initiator User (Syslog: User)
-
In the Firepower Management Center web interface, this value constrains summaries and graphs.
The user logged into the session initiator. If this field is populated with No Authentication, the user traffic:
If applicable, the username is preceded by <realm>\.
See also A Note About Initiator/Responder, Source/Destination, and Sender/Receiver Fields.
- Intrusion Events (Syslog: IPSCount)
-
The number of intrusion events, if any, associated with the connection.
In the Firepower Management Center web interface, the View Intrusion Events icon links to a list of events.
- IOC
-
Whether the event triggered an indication of compromise (IOC) against a host involved in the connection.
- NetBIOS Domain (Syslog: NetBIOSDomain)
-
The NetBIOS domain used in the session.
- NetFlow SNMP Input/Output
-
For connections generated from NetFlow data, the interface index for the interface where connection traffic entered or exited
the NetFlow exporter.
- NetFlow Source/Destination Autonomous System
-
For connections generated from NetFlow data, the border gateway protocol autonomous system number for the source or destination
of traffic in the connection.
- NetFlow Source/Destination Prefix
-
For connections generated from NetFlow data, the source or destination IP address ANDed with the source or destination prefix
mask.
- NetFlow Source/Destination TOS
-
For connections generated from NetFlow data, the setting for the type-of-service (TOS) byte when connection traffic entered
or exited the NetFlow exporter.
- Network Analysis Policy (Syslog: NAPPolicy)
-
The network analysis policy (NAP), if any, associated with the generation of the event.
- Original Client Country
-
The country where the original client IP address belongs. To obtain this value, the system extracts the original client IP
address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header, then maps it to the country using the
geolocation database (GeoDB). To populate this field, you must enable an access control rule that handles proxied traffic
based on its original client.
- Original Client IP (Syslog: originalClientSrcIP )
-
The original client IP address from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To populate this
field, you must enable an access control rule that handles proxied traffic based on its original client.
- Prefilter Policy (Syslog: Prefilter Policy)
-
The prefilter policy that handled the connection.
- Protocol (Syslog: Protocol)
-
In the Firepower Management Center web interface:
The transport protocol used in the connection. To search for a specific protocol, use the name or number protocol as listed
in http://www.iana.org/assignments/protocol-numbers.