Distributed Cloud Firewall Monitoring

The Security > Distributed Cloud Firewall > Monitor tab provides a view of the traffic that is being processed by the Distributed Cloud Firewall (DCF) rules. You can also filter the logs to find specific information.

add screenshot here showing default columns

Logs are generated according to the logging option you selected when creating your DCF rules: at the beginning of the session, the end of the session, both, or Off/None. If you selected Start At, the logs are generated at the beginning of the session and some columns (Packets, Bytes, Duration, Reason) will not populate until the session ends.

The table refreshes every 15 seconds, and you can also refresh the table manually.

CoPilot throttles the logs for each connection shown on the Monitor tab to one packet per minute in each direction. <is this still valid?>

Available columns are (all available by default except where noted):

Category Column Availability

Session Details

  • Session ID

  • Session Start

  • Session End

  • Logged At

  • Duration

Default

Network Information

  • Source IP

  • Destination IP

  • Source MAC Address

  • Destination MAC Address

  • Source Port

  • Destination Port

  • Protocol

Default except for Source MAC Adress and Destination MAC Address

Traffic Data

  • Packets Received

  • Packets Transmitted

  • Packets Dropped

  • Bytes Transmitted

Default

DCF Rule Information

  • Rule

  • Log Engine (L4/L7 columns will become Log Engine)

  • Reason

  • Result

Default

Additional Information

URL

Hidden in All Logs View

Monitoring Details?

Click on a session ID to view the details of that session.

dcf monitor details

Filtering Log Data

You can filter on:

  • Timestamp

  • Rule

  • Log Engine (L4/L7 inspection)

  • Source/Destination IPs

  • SNI

  • Decrypted by

  • URL: this column is only populated when decryption is enabled on a DCF rule. This is done by adding a WebGroup to a DCF rule and also enabling the TLS Decryption option when creating a rule.

  • Protocol (TCP/ICMP/UDP)

  • Source/Destination Port

  • Source/Destination MAC

  • Action (Permit or Deny)

  • Enforced (True or False)

Click Save as New View or Save As after filtering your log data. You are prompted to enter a name for the view.

The saved views are then available from a second drop-down on the Performance page.

300

After selecting a saved view, you can:

  • Click Manage Views to view the Manage Views dialog. From here you can delete the view or apply it to the Monitor tab.

  • Clear it and select another saved view

  • Select new metrics/gateways and create or save another view

The available default views are:

  • Web Traffic: based on URL and SNI columns

  • Default Ruleset?

  • Available Rulesets?