FWAllow vs FWAllowEnd

JoshuaThompsonJoshuaThompson
in Firebox - Dimension, Logging and Reporting

I am reviewing my firewall logs and am noticing FWAllow and FWAllowEnd entries The FWAllow is obvious to me but the FWAllowEnd is not. Can somebody explain this to me please?

Any information is appreciated.

Thanks,

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @JoshuaThompson

    Without the message ID, I can't say more than it sounds like a connection that ended. I pulled an example log from my firewall with the same disposition:

    2019-11-19 00:10:00 FWAllowEnd, , pri=6, disp=Allow, policy=Any-From-Firebox-00, protocol=https/tcp, src_ip=192.168.10.2, src_port=56466, dst_ip=64.94.121.146, dst_port=443, src_intf=Firebox, dst_intf=0-External, rc=106, duration=61; sent_bytes=2206; rcvd_bytes=13486, 3000-0151

    The message ID here is at the end, and that's what we need to get more info on what that log means.
    3000-0151

    If you remove the dash in the message number (the last one) you can look it up in our log catalog. For that example, I found:

    30000151
    It is an INFO level message
    Area is Firewall/Packet Filter

    It means:
    Traffic connection terminated
    -Record for a terminated connection

    So in this case, it's just a connection that ended.

    You can find the log catalog here:
    https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.