Reading Logs

Ben F — Tue, 12 Mar 2019 01:07:14 GMT

Hello, I'm reading through some logs. The logs contain hits on blacklisted IP address. I'm trying to determine if the connection was stopped at the firewall, but it isn't always clear. I'm trying to determine what is happening when I see the following:

Teardown UDP connection

Built outbound UDP connection

Teardown local-host

Built local-host

This might not necessarily help me figure things out, but it seems worth looking into! Thanks!

Reading Logs

Jouni Forss — Wed, 27 Feb 2013 22:23:15 GMT

Hi,

A "Built outbound UDP/TCP connection" message always means that a connection attempt has passed the firewall rules and was allowed to form through the firewall

A "Teardown UDP/TCP connection" message always means that a connection that was previously allowed to form through the firewall was removed from the firewall for a certain reason. (For TCP connections -> Normal TCP connection close, SYN Timeout, Idle timeout, etc)

I think the local-host messages are similiar. I personally look more for the Built/Teardown messages

If the firewall has blocked some connection attempt you would be looking at a log message that starts with "Deny"

I think there is a way to show the allowed connections also separately in the log but usually there is no actual need since we see what we need in the "Built" messages.

- Jouni

topic Reading Logs in Network Security

Reading Logs

Reading Logs