What's the log for incoming traffic dropped by NAT?

[fasttech]

I mean unsolicited traffic dropped that's not part of a session and not hitting the uvm therefore not in reports.

/var/log.... ?

[Jim.Alles]

you can get it in the GUI reports, but you have to Log blocked sessions (config/network/advanced)
Then filter [#reports?cat=network&rep=blocked-sessions] by the WAN IP address
They are not complete session records (i.e.: no country data)

[fasttech]

Yes, that's great. Now I remember using that long ago and see I already have that checked to log.

I just thought I used to look it up in /var/log somewhere but haven't found it now. No grep for me I guess.

Do you happen to know what the Filter Prefix are? What they mean, I can't find the meaning in the docs, like shield_blocked, invalid_blocked & filter_blocked, I think I know what they mean but would like to now for sure, specifically invalid_blocked.

[Jim.Alles]

Shield_blocked is, of course, NGFW's special sauce.

Invalid_Blocked is from the kernel:

Invalid means that it doesn't match to any known states. In other words, that's the kernel saying "I don't know why I received this packet". – bahamat Dec 3 '12 at 9:28

https://unix.stackexchange.com/questions/57423/how-to-understand-why-the-packet-was-considered-invalid-by-the-iptables

Filter_blocked is from iptables, either [Access Rules] or [Filter Rules], and doesn't carry the rule ID, unfortunately.

SQL query?

Note to general users (for posterity): logging blocked sessions is not the default setting, it is advanced. And it can complicate troubleshooting by support.

[fasttech]

Thanks Jim.