Distributed Cloud Firewall Logging

Aviatrix Controller 8.2 introduces configurable session-level logging for Distributed Cloud Firewall (DCF) policies, providing granular control over logging points and richer session insights. This feature improves visibility into traffic flows, supports compliance requirements, and enhances operational analysis.

  • Feature: Configurable session-level logging with start/end options

  • New Attributes: Duration, traffic size, stage indicators

  • Terraform and API Support: log_profile field introduced

  • UI Update: Log dropdown in DCF Policies tab

Key Features

  • Flexible Logging Points: Log at Start (existing), Log at End (new), Log at Start & End (new), or Off

  • Start/End Time: Precise timestamps for session lifecycle

  • Duration: Total session length

  • Stage: Indicates session phase (start or end)

  • Request/Response Bytes (Layer 7): Application-level traffic size

  • Transmitted Bytes/Packets (Layer 3): Network-level traffic metrics

  • API and Terraform Support: New log_profile field in policy resources with predefined profiles: start, end, start_end, off

Accessing DCF Logging Settings through CoPilot UI

Navigate to *CoPilot UI > Security >  Distributed Firewall > Policies*, from the logging dropdown in the policy rule editor, select the desired logging option.

Logging Options

  • Log at Start: Captures session initiation details

  • Log at End: Captures session termination details, including duration and traffic size

  • Log at Start & End: Provides full lifecycle visibility

  • Off: Disables logging for the rule

Benefits

  • Control: Choose when transactions are logged for better flexibility

  • Insight: Start logging provides quick enforcement visibility; End logging provides detailed traffic patterns (duration, size)

  • Operational Efficiency: Richer logs for troubleshooting and compliance

  • Future-Ready: Log profiles can evolve to include advanced features (e.g., anomaly detection)

  • Improved Security Monitoring: Detect anomalies and policy violations

  • Better Compliance Reporting: Capture complete session details for audits

  • Enhanced Troubleshooting: Diagnose complex traffic flows with full lifecycle data

Configure DCF Logging

Configure DCF Logging on CoPilot

  1. Navigate to Security > Distributed Cloud Firewall > Policies

  2. Edit or create a policy rule.

  3. In the Log dropdown, select: Start, End, Start & End, or Off.

  4. Save changes and validate via Traffic Logs.

Configure DCF Logging with Terraform as an Example

resource "aviatrix_policy_ruleset" "example_ruleset" {
    name        = "example-logging"
    description = "Example ruleset with enhanced logging"

    rule {
        source_sg      = "app_sg"
        destination_sg = "db_sg"
        action         = "allow"
        logging        = true
        log_profile    = "start_end"  # Options: start | end | start_end | off
    }
}

Configure DCF Logging Using API as an Example

Create or update rule with log profile:

curl -X POST "https://<controller>/v2.5/policy-rule" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer <TOKEN>" \
  -d '{
    "ruleset_name": "example-logging",
    "rule": {
      "source_sg": "app_sg",
      "destination_sg": "db_sg",
      "action": "allow",
      "log_profile": "start_end"
    }
  }'

Log Output Enhancements

Sample log fields for End Logging:

{
    "timestamp_start": "2025-11-12T12:30:45Z",
    "timestamp_end": "2025-11-12T12:32:10Z",
    "duration_ms": 85000,
    "stage": "end",
    "bytes_tx": 1048576,
    "bytes_rx": 524288,
    "packets_tx": 1200,
    "packets_rx": 600,
    "l7_request_bytes": 512000,
    "l7_response_bytes": 256000
}