FWAllow vs FWAllowEnd
I am reviewing my firewall logs and am noticing FWAllow and FWAllowEnd entries The FWAllow is obvious to me but the FWAllowEnd is not. Can somebody explain this to me please?
Any information is appreciated.
Thanks,
Comments
-
Without the message ID, I can't say more than it sounds like a connection that ended. I pulled an example log from my firewall with the same disposition:
2019-11-19 00:10:00 FWAllowEnd, , pri=6, disp=Allow, policy=Any-From-Firebox-00, protocol=https/tcp, src_ip=192.168.10.2, src_port=56466, dst_ip=64.94.121.146, dst_port=443, src_intf=Firebox, dst_intf=0-External, rc=106, duration=61; sent_bytes=2206; rcvd_bytes=13486, 3000-0151
The message ID here is at the end, and that's what we need to get more info on what that log means.
3000-0151If you remove the dash in the message number (the last one) you can look it up in our log catalog. For that example, I found:
30000151
It is an INFO level message
Area is Firewall/Packet FilterIt means:
Traffic connection terminated
-Record for a terminated connectionSo in this case, it's just a connection that ended.
You can find the log catalog here:
https://www.watchguard.com/help/docs/fireware/12/en-US/log_catalog/Log-Catalog_v12_5.pdfThank you,
1
