Firewall Log Fields

The following table lists the log fields that can be included in Firewall service log entries by setting the corresponding bit in the LogFieldSelection property of the FPCLog object for Firewall service logging.

Bit number Field name (Log Viewer) Field name (SQL Server Express databases) Field name (W3C files) Description
  0 Server Name servername computer The name of the Forefront TMG computer. This is the computer name assigned in Microsoft Windows.
  1 Log Date logTime date The date on which the logged event occurred. In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  2 Log Time logTime time The local time when the logged event occurred. In the W3C extended file format and in ODBC-compliant SQL Server databases, this time is in Coordinated Universal Time (UTC). In the SQL Server Express format, both the date and the local time are included in the single logTime field, and the bits for both the date and time fields must be set.
  3 Transport protocol IP Protocol The transport protocol used for the connection. Common values are Transmission Control Protocol (TCP) and User Datagram Protocol (UDP).
  4 Client IP and Port SourceIP

SourcePort

source The Internet Protocol (IP) address of the requesting client and the source port used. In SQL Server Express format, there are separate SourceIP and SourcePort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP type.
  5 Destination IP and Port DestinationIP

DestinationPort

destination The network IP address and the reserved port number on the remote computer that provides service to the current connection. The port number is used by the client application initiating the request. In SQL Server Express format, there are separate DestinationIP and DestinationPort fields to allow individual querying. For ICMP packets, the additional field indicates the ICMP code.
  6 Original Client IP OriginalClientIP original client IP The original IP address of the requesting client.
  7 Source Network SourceNetwork source network The network from which the request originated.
  8 Destination Network DestinationNetwork destination network The network to which the request was sent.
  9 Action Action action The action performed by the Microsoft Firewall service for the current session or connection. The possible values are defined in the FpcAction enumerated type.
10 Result Code resultcode status A Windows error code or a Forefront TMG error code in HRESULT format. For more information about Forefront TMG error codes, see Error Codes.
11 Rule Rule rule The rule that either allowed or denied access to the request, as follows:
  • If an outgoing request was allowed, this field reflects the access rule that allowed the request.
  • If an outgoing request was denied, this field reflects the access rule that blocked the request.
  • If an incoming request was denied, this field reflects the Web publishing or server publishing rule that denied the request.
  • If no rule specifically allowed the outgoing or incoming request, the request is denied. In this case, the field is empty.
12 Protocol ApplicationProtocol application protocol The name of the application protocol used for the connection as defined in the collection of protocol definitions.
13 Bidirectional Bidirectional bidirectional A value from the FpcBidirectional enumerated type that indicates whether the connection was bidirectional.
14 Bytes Sent bytessent bytes sent The total number of bytes sent from the client to the destination host during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
15 Bytes Sent Delta bytessentDelta bytes sent intermediate The number of bytes sent from the client to the destination host since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the destination host or that no bytes were sent to the destination host.
16 Bytes Received bytesrecvd bytes received The total number of bytes sent from the remote computer and received by the client during the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
17 Bytes Received Delta bytesrecvdDelta bytes received intermediate The number of bytes sent from the remote computer and received by the client since the previous log entry for the current connection. A hyphen (-), a zero (0), or a negative number in this field indicates that this information was not provided by the remote computer or that no bytes were received from the remote computer.
18 Processing Time ConnectionTime connection time The total time, in milliseconds, that was needed by Forefront TMG to process the current connection. It measures the time elapsed from the time when the Forefront TMG computer first received the request to the time when final processing occurred on the Forefront TMG computer—when results were returned to the client and the connection was closed.
19 Processing Time Delta connectiontimeDelta connection time intermediate The time, in milliseconds, that has elapsed since the previous log entry for the current connection.
20 Source Proxy SourceProxy source proxy Reserved for future use.
21 Destination Proxy DestinationProxy destination proxy Reserved for future use.
22 Client Host Name SourceName Source Name Reserved for future use.
23 Destination Host Name DestinationName destination name The domain name for the remote computer that provides service to the current connection.
24 Client Username ClientUserName username The account of the user making the request. A question mark (?) next to the user name indicates that the user name was sent but the user was not authenticated by Forefront TMG. If Forefront TMG access control is not being used, Forefront TMG uses Anonymous.
25 Client Agent ClientAgent agent The name and version of the operating system that is running on the Firewall client that created the session, as indicated by the Hypertext Transfer Protocol (HTTP) User-Agent header sent by the client's browser application. This field is not applicable to SecureNAT sessions.

For the supported strings, see Client Agent Values. A User-Agent header that is not supported is regarded as an unknown operating system.

26 Session ID sessionid Session ID An identifier that identifies a session's connections. For Firewall clients, each process that connects through the Microsoft Firewall service initiates a session. For secure network address translation (SecureNAT) clients, a single session is opened for all the connections that originate from the same IP address.
27 Connection ID connectionid Connection ID An identifier that identifies entries belonging to the same socket. Outbound TCP usually has two entries for each connection: when the connection is established and when the connection is terminated. UDP usually has two entries for each remote address.
28 Network Interface Interface interface The network adapter with which the connection was established on the Forefront TMG computer.
29 Raw IP Header IPHeader IP header The IP header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.
30 Raw Payload Payload protocol payload The protocol header of the current packet. Information is supplied to this field only for packets that are denied passage and are dropped by Forefront TMG.
31 GMT Log Time GmtLogTime GMT Time The date and time in Coordinated Universal Time (UTC) when the log entry was made.
32 IPS Scan Result ipsScanResult IPS scan result The Network Inspection System (NIS) scan result (not supported in Forefront TMG Medium Business Edition).
33 IPS Signature ipsSignature IPS signature The Network Inspection System (NIS) signature (not supported in Forefront TMG Medium Business Edition).

Client Agent Values

User-Agent header Client Agent value
Windows NT 5.2 Windows Server 2003
Windows NT 5.1 Windows XP
windows nt 5 Windows 2000
windows 2000 Windows 2000
win2000 Windows 2000
winnt Windows NT
windows nt Windows NT
win98 Windows 98
windows 98 Windows 98
win95 Windows 95
windows 95 Windows 95
win32 Windows 32-bit
win16 Windows 16-bit
windows ce Windows CE
windows Windows
aix aix
amiga amiga
hp hp
irix irix
linux linux
mac mac
solaris solaris
sun sun
unix unix
vax vax

See Also

Log Fields


Send comments about this topic to Microsoft

Build date: 11/30/2009

© 2008 Microsoft Corporation. All rights reserved.

[an error occurred while processing this directive]