Skip to main content
Cisco Meraki

Firewall Logging

Click 日本語 for Japanese

Introduction

Firewall Log is a live tool that allows you to view the verdict of real-time traffic flows after being processed by the Layer 3 and Layer 7 firewalls. This tool can be used to help surface issues during troubleshooting and can help verify that configured rules are working as expected. This feature is available on MX firmware release 18.2 and newer.

Quick Start Guide

To use Firewall Logging:

  1. Navigate to Security & SD-WAN > Appliance Status. 

  2. Click on the “Tools” tab. 

  3. Find “Firewall Log” 

  4. Enter any filters required and then click the “Start” button.

Verdict

Definition

The flow has been allowed

The flow has been denied

Filtering

For the best results with the Firewall Log tool, it is important to filter for a specific traffic flow you are targeting. The following filters can be configured:

Filter

Accepted Parameters

Client

  • Client Name (as shown in Network-wide > Clients Dashboard page) 

  • MAC address

IP

  • Applies to Source or Destination IP:

    • IPv4

    • IPv6

Port

  • Port number (e.g., 80) 

Verdict

  • Allowed

  • Blocked

  • Both

Logging Expectations

Flows are uniquely defined by five elements; Source IP, Destination IP, Source Port, Destination Port, and Protocol. Each flow is expected to be logged once for each policy it passes through (in most cases this is Layer 7 and Layer 3 FW rule policies). As an example, if you are sending continuous pings to 8.8.8.8, you should only see the flow logged once for the L3 policy and once for the L7 policy. The same applies to TCP and UDP flows.

Definitions

Column

Definition

Verdict

Firewall decision (allowed or denied) based on configured Layer 3 and Layer 7 policy

Timestamp

Time of the event using the network configured time in the following format: Month Day HH:MM:SS

Source IP

IP address of the sender

Source Port

Port used by the sender

Destination IP

IP address of the receiver

Protocol

IP protocol used

Client

Identifier of the client as shown in Dashboard (Network-wide > Clients)

 

  • Was this article helpful?