A Firegen report provides a standard set of information, regardless of the type of firewall analyzed. The data may or may not be present, depending on the information recorded by the firewall in its logs. For example, some firewalls record URLs for visited websites, while some other firewalls do not record this type of information.

The HTML-based report is split in two panels. The left one provides a list of firewalls and the pair of interfaces that recorded information in the logs.

Left Panel

Example:

For this report, only one firewall was detected in the logs (10.55.116.150).

Traffic per hour section links to a graph representing the MB of traffic and the corresponding number of denials for a 24 hours period.

The Interface pairs section provides subreports for each pair of network interfaces detected in the logs. In the example above, there are 2 interfaces detected "inside" and "outside" (these are the default names for a Cisco Pix firewall with 2 interfaces. There is traffic detected from the inside to the outside interfaces, and from the outside to inside.

The subsections showing the same interface name for both "to" and "from" (i. e. "inside to inside") provides details about traffic that happened only on one side of an interface (for example, broadcasts stopped by a firewall's internal interface). They are shown like this because the firewall did not record the destination interface.

The subsections displaying the interface name "if" contains data compiled from firewall log entries that did not record the actual interface where it was recorded. For example, a Cisco Pix firewall does not record the interface for URL-related messages. The raw log entry will simply mention that a certain IP accessed that particular URL and nothing else.

For each pair of interfaces, the report will include a Traffic, Dennials, Warnings and URLs section. If there is no data for some of these type of reports, the section will not be displayed. In the sample displayed above, the "outside to insde" section contains both Traffic and Denials but no Warnings or URLs. The "inside to inside" section contains only Denials (for the denied connections attempted from the inside interface).

The Other messages section contains a list of firewall log messages that were not parsed by the analyzer. Given the large number of possible firewall log messages, combined with various formats used by different syslog servers, some messages are not yet included in the analysis engine. Please copy this section and send it to support@firegen.com.

Following the Other messages section, there is a short section with details about the version of the analysis engine and the duration of the analysis.

Right Panel

The top section in the right panel contains the details about the logs analyzed to compile the report, the list of firewalls detected and details about the total traffic, denials, warnings and URLs.

For each firewalls, a separate section is created. Each firewall sections starts with a graph displaying the traffic (in MB) and the number of denials for a 24 hour interval. If there is no data for a certain hour, it means that there was no relevant data in the firewall logs.

The graph is followed by a table version of the data used to generated the graph.

The next section is called Interface pairs and it contains a list of pairs of firewall interfaces detected from the firewall log(s).

Each row in the report contains the pair of interfaces, the number of connections through that interface, the traffic (in MB), the percentage of traffic vs. the total firewall traffic, the number of denials and warnings.

For each pair of interfaces, several report sections are created.

Top sources - The top source hosts ordered based on the total traffic generated. If a particular host is entered in the Monitored keywords configuration file, the comment will contain whatever entry was specified for that host in the Monitored keywords file. The report table is followed by a pie chart showing the source hosts.

Top destinations - Similar with top sources, but it contains information about the destination hosts

Top sources, protocol and bytes - Displays the top sources/protocol combination ordered by the traffic in bytes. While Top sources lists the hosts with the protocol aggregated, this section adds the protocols as well.

Top sources, destinations, protocols and bytes - Displays the top source/destination/protocol data, ordered by the total traffic for that source/destination/protocol.

Top protocols - Displays the top protocols for that specific interface pairs, ordered by traffic. The number of connections is also displayed. A bar graph is shown under the Top protocols table.

The next sections are created for each protocol added to the Protocols with dedicated sections field on the Firegen Analysis tab. For example, if TCP/80 is present in the Protocols with dedicated sections, a table will be created with sources, destination and total traffic for that particular protocol. If there is no data present in the logs for this protocol, the table will contain one line saying "No traffic recorded for protocol..."

Top denied sources - If denials are recorded in the log, Firegen will create this section and it will display the source hosts and the number of denials recorded. The First denial field indicates the date and time when the first denial was recorded for that particular source.

Top destinations for denied connections - Contains information about the destination hosts for the various denials recorded for that pair of interfaces.

Top denial reasons - Contains information about the reasons why various connections have been denied. The information here depends a lot on the actual data recorded by the firewall. Some firewall record a detailed reason, while other simply specify that the connection has been denied. The Denial reason field will display the reason and a link for it to our LogWiki online database. The identificator for the reason will be a firewall log entry code (as detected by Firegen). If there is no entry in the LogWiki for that particular denial reason, the user has the option to create one and add whatever information is available.

For example, for a Cisco Pix firewall, the Access group ACL-OUT denial reason will actually point to the LogWiki entry for 4-106023, a Cisco Pix/ASA type of log entry. Some firewalls do not record a particular code for their log entries. For this type of logs, Firegen creates a custom code that can be used for that purpose.

Top denied protocols and reasons - Similar to the section above, this report subsection contains stats about the protocols denied and the reason for denial.

Top warning messages - Very similar to the Top denials, it contains the source and destionation host, the protocol and the actual warning message. The warning contains a link to LogWiki.

Top URLs - Contains information about the top web pages accessed by hosts through a particular pair of firewall interfaces. This information is not recorded by all firewalls.