I mean unsolicited traffic dropped that's not part of a session and not hitting the uvm therefore not in reports.
/var/log.... ?
I mean unsolicited traffic dropped that's not part of a session and not hitting the uvm therefore not in reports.
/var/log.... ?
you can get it in the GUI reports, but you have to Log blocked sessions (config/network/advanced)
Then filter [#reports?cat=network&rep=blocked-sessions] by the WAN IP address
They are not complete session records (i.e.: no country data)
Last edited by Jim.Alles; 03-26-2020 at 09:59 AM.
Yes, that's great. Now I remember using that long ago and see I already have that checked to log.
I just thought I used to look it up in /var/log somewhere but haven't found it now. No grep for me I guess.
Do you happen to know what the Filter Prefix are? What they mean, I can't find the meaning in the docs, like shield_blocked, invalid_blocked & filter_blocked, I think I know what they mean but would like to now for sure, specifically invalid_blocked.
Shield_blocked is, of course, NGFW's special sauce.
Invalid_Blocked is from the kernel:
https://unix.stackexchange.com/questions/57423/how-to-understand-why-the-packet-was-considered-invalid-by-the-iptablesInvalid means that it doesn't match to any known states. In other words, that's the kernel saying "I don't know why I received this packet". – bahamat Dec 3 '12 at 9:28
Filter_blocked is from iptables, either [Access Rules] or [Filter Rules], and doesn't carry the rule ID, unfortunately.
SQL query?
Note to general users (for posterity): logging blocked sessions is not the default setting, it is advanced. And it can complicate troubleshooting by support.
Thanks Jim.