Distributed Cloud Firewall Monitoring

Under Security > Distributed Cloud Firewall > Monitor, you can filter packet logs for Distributed Cloud Firewall rules that have logging enabled, to determine why a rule may not be working as intended.

You can filter on:

  • Timestamp

  • Rule

  • L4/L7 inspection

  • Source/Destination Group (includes IPs of countries, Custom GeoGroups, and threat IPs)

  • Source/Destination IPs

  • SNI

  • Decrypted by

  • URL: this column is only populated when decryption is enabled on a DCF rule. This is done by adding a WebGroup to a DCF rule and also enabling the TLS Decryption option when creating a rule.

  • Protocol (TCP/ICMP/UDP)

  • Source/Destination Port

  • Source/Destination MAC

  • Action (Permit or Deny)

  • Enforced (True or False)

The table refreshes every 15 seconds, and you can also refresh the table manually.

CoPilot throttles the logs for each connection shown on the Monitor tab to one packet per minute in each direction.

Click Save as New View or Save As after filtering your log data. You are prompted to enter a name for the view.

The saved views are then available from a second drop-down on the Performance page.

300

After selecting a saved view, you can:

  • click Manage Views to view the Manage Views dialog. From here you can delete the view or apply it to the Monitor tab.

  • Clear it and select another saved view

  • Select new metrics/gateways and create or save another view