The table below lists the keys and values in a message with the Firewall event type.
Information about an event with the Firewall event type
Key |
Value |
|---|---|
cs4 cs4Label |
Event priority. Always This value is displayed by default. |
externalId |
Session ID. |
cs1 cs1Label |
Name of the security rule that the session matched. This value is displayed by default. |
|
UUID of the security rule that the session matched. This value is displayed by default. |
act |
The action specified in the security rule. |
KasperskyNgfwFullMatch |
Parameter indicating whether the session matches any security rule. Possible values:
|
cs2 cs2Label |
Name of the decryption rule that the session matched. This value is displayed by default. |
cs5 cs5Label |
The action specified in the decryption rule, if a decryption rule exists. |
cs3 cs3Label |
Whether the Decrypted check box is selected. Possible values: |
start |
Date and time when the session was created. |
rt |
Date and time when the event was generated on the Kaspersky NGFW device (the session was removed and was recorded in the NGFW log). Format: |
dtz |
Time zone on the Kaspersky NGFW device Format: Default value: |
end |
Date and time when the session ended. This value is displayed by default. |
reason |
The reason why the session ended. |
cn1 cn1Label |
Session duration in seconds. This field can be left empty. For short sessions and for the session start event, the value is |
cn2 cn2Label |
Number of packets received from the client. |
cn3 cn3Label |
Number of packets received from the server. This field can be left empty. |
in |
Number of bytes received from the client. |
out |
Number of bytes received from the server. This field can be left empty. |
dvchost |
Host name of the Kaspersky NGFW device. This value is displayed by default. |
src |
Source IP address. This value is displayed by default. |
dst |
Destination IP address. This value is displayed by default. |
|
|
|
|
|
Source security zone. This value is displayed by default. |
|
Destination security zone. This value is displayed by default. |
|
Source interface. This value is displayed by default. |
|
Destination interface. This value is displayed by default. |
proto |
L3–L4 protocol. This value is displayed by default. |
spt |
For TCP and UDP, the source port. For ICMP, the ICMP ID. For other protocols, this field is left empty. This value is displayed by default. |
dpt |
For TCP and UDP, the destination port. For ICMP, the ICMP ID. For other protocols, this field is left empty. This value is displayed by default. |
KasperskyNGFWICMPType |
ICMP message types. Applicable only to ICMP traffic. Field format: For other protocols, this field is left empty. |
KasperskyNGFWICMPCode |
ICMP message codes. Applicable only to ICMP traffic. Field format: For other protocols, this field is left empty. |
KasperskyNGFWTCPRedir |
Whether the session was redirected to a transparent proxy server for TCP traffic. Possible values: For non-TCP traffic, the value is always |
app |
L7 protocol from the Application Control detection. For all protocols excluding UDP and TCP, but including unrecognized UDP and TCP, the value is This value is displayed by default. |
|
Name of the L7 service or a list of the names of services that the client accessed. Examples: This value is displayed by default. This field can be left empty. |
|
Category of the L7 service or a list of the categories of services that the client accessed. Examples: This value is displayed by default. This field can be left empty. |
sproc |
Name of the application (from the Application Control detection) from which the client request was initiated. For all protocols excluding UDP and TCP, but including unrecognized UDP and TCP, the value is Example: This value is displayed by default. For the session start event, this value is not displayed. |
DestinationDnsDomain |
Domain name (one per session). This field is populated when the session passes through Web Control and/or URL Anti-Virus. For the session start event, this value is not displayed. |
KasperskyNGFWWebControlProfile |
Name of the Web Control profile Possible values: |
KasperskyNGFWDNSProfile |
Name of the DNS Security profile. Possible values: |
KasperskyNGFWAvProfile |
Name of the Anti-Virus profile Possible values: |
KasperskyNGFWIdpsProfile |
Name of the IDPS profile Possible values: |
KasperskyNGFWSrcCountry |
The country or territory that matches the source IP address by geographic location. If the country or territory cannot be determined, This value is displayed by default. |
|
The country or territory that matches the destination IP address by geographic location. If the country or territory cannot be determined, This value is displayed by default. |
|
ID of the source user (information from Active Directory). This value is displayed by default. |
|
ID of the destination user (information from Active Directory). This value is displayed by default. |
|
Name of the NAT rule. |
|
Translated source address. This value is displayed by default. |
|
Translated source port. This value is displayed by default. |
|
Translated destination address. This value is displayed by default. |
|
Translated destniation port. This value is displayed by default. |
|
Whether the traffic has passed through the ExplicitProxy inside the Kaspersky NGFW device. Possible values: |