Solved

Log messages on Watchguard Firebox II

Posted on 2004-04-28
4
1,690 Views
Last Modified: 2013-11-16
Hi

Can anyone tell me what the '60 tcp 20 63' means from the extract of my Firebox logs?

04/28/04 13:15  firewalld[118]:  deny out eth1 60 tcp 20 63 10.255.255.48 193.195.0.110 48058 8080 syn (Outgoing) message


Gareth
0
Comment
Question by:localgareth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 500 total points
ID: 10940352
I'm not 100%, but something like:

60 is packetlength
20 is IP Header length
63 is TTL

Doesn't it tell you right at the top of an exported logfile ?
If you posted up a few more examples I could take an educated guess ?  ;)

0
 

Author Comment

by:localgareth
ID: 10940605
Hi

Thanks for the reply

04/28/04 16:45  firewalld[118]:  allow out eth1 60 tcp 20 63 10.255.255.48 193.195.0.110 52880 8080 syn (SquidParentProxy)
04/28/04 16:45  firewalld[118]:  allow out eth1 60 tcp 20 64 10.255.255.48 193.195.0.110 52881 8080 syn (SquidParentProxy)
04/28/04 16:57  firewalld[118]:  deny in eth0 48 tcp 20 126 192.168.19.131 10.255.255.30 1273 8080 syn (default)
04/28/04 16:57  firewalld[118]:  deny in eth0 48 tcp 20 126 192.168.19.131 10.255.255.30 1273 8080 syn (default)
04/28/04 16:57  firewalld[118]:  deny in eth0 48 tcp 20 126 192.168.19.131 10.255.255.30 1273 8080 syn (default)
04/28/04 17:02  firewalld[118]:  deny out eth1 76 udp 20 63 10.255.255.48 158.152.1.76 123 123 (Outgoing)

Is this enough data? I'm looking at the logs in the 'Traffic Monitor' of the System Manager - it doesn't give headings.


Gareth
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10947948
I've just checked the Watchguard manual -

http://www.watchguard.com/help/docs/v70UserGuide.pdf

The packet event fields are described here in order, from
left to right.

Disposition
The disposition can be as follows:
- Allow – Packet was permitted by the current set
of filter rules.
- Deny – Packet was dropped by the current set of
filter rules.

Direction
Determines whether the packet was logged when it
was received by the interface (“in”) or when it was
about to be transmitted by the Firebox (“out”).

Interface
The name of the network interface associated with
the packet.

Total packet length
The total length of the packet in octets.

Protocol
Protocol name, or a number from 0 to 255.

IP header length
Length, in octets, of the IP header for this packet. A
header length that is not equal to 20 indicates that
IP options were present.

TTL (time to live)
The value of the TTL field in the logged packet.

Source address
The source IP address of the logged packet.

Destination address
The destination IP address of the logged packet.

Source port
The source port of the logged packet, UDP or TCP
only.

Destination port
The destination port of the logged packet, UDP or
TCP only.

Details
Additional information appears after the
previously described fields, including data about
IP fragmentation, TCP flag bits, IP options, and
source file and line number when in trace mode. If
WatchGuard logging is in debug or verbose mode,
additional information is reported. In addition, the
type of connection may be displayed in
parentheses.

So my first guess was correct !
0
 

Author Comment

by:localgareth
ID: 10947964
Tim - Thanks :-)


Gareth
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
assessing firewall rules 3 93
Windows Firewall - Rule created ports still not opemn 5 79
Cisco ASA 1 70
TMG 2010 Deployment 3 104
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question