Distributed Cloud Firewall Monitoring

The Security > Distributed Cloud Firewall > Monitor tab provides a view of the traffic that is being processed by the Distributed Cloud Firewall (DCF) rules.

The table refreshes every 15 seconds, and you can also refresh the table manually.

CoPilot throttles the logs for each connection shown on the Monitor tab to one packet per minute in each direction.

Available columns are listed below (all available by default except where noted). You can filter the logs by any of these columns, and you can also sort the logs by any column.

Column	Description
Timestamp	The time the log entry was created.
Rule	The DCF rule that processed the traffic.
Log Engine	Indicates whether L4 or L7 inspection was used.
Gateway (not available by default)	Indicates the gateway that processed the traffic.
Source IP	The source IP address of the traffic.
Destination IP	The destination IP address of the traffic.
SNI (not available by default)	The Server Name Indication for TLS traffic.
Decrypted by (not available by default)	Indicates the entity that performed decryption.
URL	Populated when decryption is enabled on a DCF rule.
Protocol	The protocol used (e.g., TCP, ICMP, UDP).
Source Port	The source port of the traffic.
Destination Port	The destination port of the traffic.
Source MAC (not available by default)	The source MAC address of the traffic.
Destination MAC (not available by default)	The destination MAC address of the traffic.
Action	Indicates whether the traffic was permitted or denied.
Enforced	Specifies whether the rule was enforced (True or False).
Reason	The reason for the action taken.

Column

Description

Timestamp

The time the log entry was created.

Rule

The DCF rule that processed the traffic.

Log Engine

Indicates whether L4 or L7 inspection was used.

Gateway (not available by default)

Indicates the gateway that processed the traffic.

Source IP

The source IP address of the traffic.

Destination IP

The destination IP address of the traffic.

SNI (not available by default)

The Server Name Indication for TLS traffic.

Decrypted by (not available by default)

Indicates the entity that performed decryption.

URL

Populated when decryption is enabled on a DCF rule.

Protocol

The protocol used (e.g., TCP, ICMP, UDP).

Source Port

The source port of the traffic.

Destination Port

The destination port of the traffic.

Source MAC (not available by default)

The source MAC address of the traffic.

Destination MAC (not available by default)

The destination MAC address of the traffic.

Action

Indicates whether the traffic was permitted or denied.

Enforced

Specifies whether the rule was enforced (True or False).

Reason

The reason for the action taken.

Monitoring Details

Clicking on a rule name on the Monitor tab opens the DCF Policies details page, which shows the rule’s details and the traffic that has been processed by that rule.

Creating and Saving Views

On the Monitor tab, click Save as New View or Save As after filtering your log data. You are prompted to enter a name for the view.

The saved views are then available from a second drop-down on the Performance page.

300

After selecting a saved view, you can:

Click Manage Views to view the Manage Views dialog. From here you can delete the view or apply it to the Monitor tab.
Clear it and select another saved view
Select new metrics/gateways and create or save another view

The available default views are All Logs and Web Traffic.

Managing Views

Distributed Cloud Firewall Monitoring

Monitoring Details

Creating and Saving Views

Related Topics