Firewall Log Fields
The following table lists the log fields that can be included in Firewall service log entries by setting the corresponding character in the string held in the LogFieldSelectionString property of the FPCLog object for Firewall service logging.
The bit numbers listed in this table correspond to the zero-based numbers of the characters in the string held in the LogFieldSelectionString property.
| Bit number | Field name (Log Viewer) | Field name (SQL Server Express databases) | Field name (W3C files) | Description |
|---|---|---|---|---|
| 0 | Server Name | servername | computer | The name of the Forefront TMG computer. This is the computer name assigned in Microsoft Windows. |
| 1 | Log Date | logTime | date | The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 2 | Log Time | logTime | time | The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set. |
| 3 | Transport | protocol | IP Protocol | The transport protocol used for the connection. Common values are TCP and UDP. |
| 4 | Client IP and Port | SourceIP
SourcePort |
source | The IP address of the requesting client and the source port used. In SQL Server Express format, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP type. |
| 5 | Destination IP and Port | DestinationIP
DestinationPort |
destination | The network IP address and the reserved port number on the remote computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server Express format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP code. |
| 6 | Original Client IP | OriginalClientIP | original client IP | The original IP address of the requesting client. |
| 7 | Source Network | SourceNetwork | source network | The network from which the request originated. |
| 8 | Destination Network | DestinationNetwork | destination network | The network to which the request was sent. |
| 9 | Action | Action | action | The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type. |
| 10 | Result Code | resultcode | status | A Windows error code or a Forefront TMG error code in HRESULT format. For more information about Forefront TMG error codes, see Error Codes. |
| 11 | Rule | Rule | rule | The rule that either allowed or denied access to the request, as follows:
|
| 12 | Protocol | ApplicationProtocol | application protocol | The name of the application protocol used for the connection as defined in the collection of protocol definitions. |
| 13 | Bidirectional | Bidirectional | bidirectional | A value from the FpcBidirectional enumerated type that indicates whether the connection was bidirectional. |
| 14 | Bytes Sent | bytessent | bytes sent | The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
| 15 | Bytes Sent Delta | bytessentDelta | bytes sent intermediate | The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host. |
| 16 | Bytes Received | bytesrecvd | bytes received | The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
| 17 | Bytes Received Delta | bytesrecvdDelta | bytes received intermediate | The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer. |
| 18 | Processing Time | ConnectionTime | connection time | The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed. |
| 19 | Processing Time Delta | connectiontimeDelta | connection time intermediate | The time, in milliseconds, that has elapsed since the previous log entry for the current connection. |
| 20 | Source Proxy (deprecated in Forefront TMG) | SourceProxy | source proxy | The name of the source proxy server. |
| 21 | Destination Proxy (deprecated in Forefront TMG) | DestinationProxy | destination proxy | The name of the destination proxy server. |
| 22 | Client Host Name (deprecated in Forefront TMG) | SourceName | Source Name | The name of the source host. |
| 23 | Destination Host Name | DestinationName | destination name | The domain name for the remote computer that provides service to the current connection. |
| 24 | Client Username | ClientUserName | username | The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous. |
| 25 | Client Agent | ClientAgent | agent | The name and version of the operating system that is running on the Forefront TMG Client or Firewall Client computer that created the session, as indicated by the Hypertext Transfer Protocol (HTTP) User-Agent header sent by the client's browser application. This field is not applicable to SecureNAT sessions.
For the supported strings, see Client Agent Values. A User-Agent header that is not supported is regarded as an unknown operating system. |
| 26 | Session ID | sessionid | Session ID | An identifier that identifies a session's connections. For Forefront TMG Client and Firewall Client computers, each process that connects through the Microsoft Firewall service initiates a session. For SecureNAT clients, a single session is opened for all the connections that originate from the same IP address. |
| 27 | Connection ID | connectionid | Connection ID | An identifier that identifies entries belonging to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address. |
| 28 | Network Interface | Interface | interface | The network adapter with which the connection was established on the Forefront TMG computer. |
| 29 | Raw IP Header | IPHeader | IP header | The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
| 30 | Raw Payload | Payload | protocol payload | The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG. |
| 31 | GMT Log Time | GmtLogTime | GMT Time | The date and time in Coordinated Universal Time (UTC) when the log entry was made. |
| 32 | NIS Scan Result | ipsScanResult | NIS scan result | The Network Inspection System (NIS) scan result. The possible values are defined in the FpcIpsScanResult enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 33 | NIS Signature | ipsSignature | NIS signature | The NIS signature detected or used as a basis for blocking the traffic. |
| 34 | NAT Address | NAT Address | NAT Address | The public NAT IP address used as the source IP address for outbound traffic. |
| 35 | Forefront TMG Client FDQN | FwcClientFqdn | fwc-client-fqdn | The FQDN of the client computer for a Forefront TMG Client or Firewall Client connection. |
| 36 | Forefront TMG Client Application Path | FwcAppPath | fwc-app-path | The full path of the client application for a Forefront TMG Client or Firewall Client connection. |
| 37 | Firewall Client Application SHA1 Hash | FwcAppSHA1Hash | fwc-app-sha1-hash | The SHA1 hash value that is calculated for the executable file of the client application and used by Forefront TMG Client or Firewall Client to request a network connection. |
| 38 | Forefront TMG Client Application trust state | FwcAppTrusState | fwc-app-trust-state | A value that indicates whether the client application is trusted by the operating system running on the client computer. The possible values are defined in the FpcFwcClientApplicationTrustState enumerated type. Note that strings representing these values are displayed in the log viewer. |
| 39 | Forefront TMG Client Application Internal Name | FwcAppInternalName | fwc-app-internal-name | The internal name of the client application. |
| 40 | Forefront TMG Client Application Product Name | FwcAppProductName | fwc-app-product-name | The product name of the client application. |
| 41 | Forefront TMG Client Application Product Version | FwcAppProductVersion | fwc-app-product-version | The product verison of the client application. |
| 42 | Forefront TMG Client Application File Version | FwcAppFileVersion | fwc-app-file-vrsion | The file version of the client application. |
| 43 | Forefront TMG Client Application Original File Name | FwcAppOrgFileName | fwc-app-original-file-name | The original name of the client application. |
| 44 | Internal Service Info Log Fields | InternalServiceInfo | internal-service-info | The information generated by internal services. |
| 45 | NIS Application Protocol | ipsApplicationProtocol | NIS application protocol | The application protocol in which NIS detected the signature. |
| 46 | Forefront TMG Client Version | FwcVersion | fwc-version | The version of Forefront TMG Client. |
Client Agent Values
| User-Agent header | Client Agent value |
|---|---|
| Windows NT 5.2 | Windows Server 2003 |
| Windows NT 5.1 | Windows XP |
| windows nt 5 | Windows 2000 |
| windows 2000 | Windows 2000 |
| win2000 | Windows 2000 |
| winnt | Windows NT |
| windows nt | Windows NT |
| win98 | Windows 98 |
| windows 98 | Windows 98 |
| win95 | Windows 95 |
| windows 95 | Windows 95 |
| win32 | Windows 32-bit |
| win16 | Windows 16-bit |
| windows ce | Windows CE |
| windows | Windows |
| aix | aix |
| amiga | amiga |
| hp | hp |
| irix | irix |
| linux | linux |
| mac | mac |
| solaris | solaris |
| sun | sun |
| unix | unix |
| vax | vax |
Related topics
Build date: 7/12/2010