I am reviewing my firewall logs and am noticing FWAllow and FWAllowEnd entries The FWAllow is obvious to me but the FWAllowEnd is not. Can somebody explain this to me please?
Any information is appreciated.
Without the message ID, I can't say more than it sounds like a connection that ended. I pulled an example log from my firewall with the same disposition:
2019-11-19 00:10:00 FWAllowEnd, , pri=6, disp=Allow, policy=Any-From-Firebox-00, protocol=https/tcp, src_ip=192.168.10.2, src_port=56466, dst_ip=126.96.36.199, dst_port=443, src_intf=Firebox, dst_intf=0-External, rc=106, duration=61; sent_bytes=2206; rcvd_bytes=13486, 3000-0151
The message ID here is at the end, and that's what we need to get more info on what that log means.
If you remove the dash in the message number (the last one) you can look it up in our log catalog. For that example, I found:
It is an INFO level message
Area is Firewall/Packet Filter
Traffic connection terminated
-Record for a terminated connection
So in this case, it's just a connection that ended.
You can find the log catalog here:https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdf
WatchGuard Customer Support