Reading Watchguard Logs

Which WG unit do you have?

My firebox units have a LOT more in the logs and the log viewer has a header that explains the columns.

My columns are as follows: Date Time Disp (deny/allow) Direction (in/out) I/F (interface ETH0:1, ETH0:2, ETH0, ETH1....) Protocol UDP, ICMP, TCP Source IP Dest IP Source Port Dest Port Details (rule that caused the action)

I am running a FB 1000 (or 3) I think I understand everything else, except the '78 udp 20 128' E.g. what does the 78 mean? same for the 20 and 128.

Thanks for the response!

FG

Leythos wrote:

Paste the entire line of the log entry, it appears you're missing something.

You're missing the source/dest IP values in what you've pasted and the "Details" value also.

All my UDP entries show a lot more detail than your.

My Firebox III/1000, II, x700, X1000, etc... all show a lot more detail than you've provided.

What version of the firmware and logging are you running?

The current version is 7.4x

Here it is:

06/21/06 10:12 firewalld[127]: deny in eth2 78 udp 20 128 192.168.0.78 192.168.0.255 137 137 (spoofed source address)

BTW - We are running v7.3.

Thanks!

Leythos wrote:

137 is from typical Windows crap, we always block ports 135 through 139 and 445 between interfaces.

The spoofed could be a couple things:

1) Is your internal network on 192.168.0.0/24? If not, then you've got a rogue NODE someplace in your network. 2) You didn't setup the blocked NAT Config to allow 192.168.0.0/24, default is to not approve 192.168.0.0/16 I think.

....

As for the 78, 20, 128, I don't know what they represent. When I check my logs I don't see things like that anywhere.

Consider posting to the WG WSF groups and asking them.