Accepted Connections Reports

To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted Connections Real-Time Report.

Note:
  • Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.
  • To view the detail report, you must enable the Administration > System Settings > General tab > Enable Accept Detail option. This may require additional time and storage in downloading this report.

Menu path: Reports > Network Activity > Accepted Connections

In addition to setting the common report options in Preparing a Real-time Report, you can select optional filter operators in the generated report.

Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:

Note: Column headings differ for PIX and non-PIX devices.
Accepted Connections Report - Optional Filter Operators
Option Description
Source Device Description of the device that sent these log messages
Translated IP IP address as translated by the device*
Source IP IP address of the source host (non-PIX devices only)
Destination IP IP address of the destination host device (non-PIX devices only)
Port Port number (service) of the destination host
Protocol Protocol of the destination host
Description Description of the port (service)
Messages Number of log messages received representing this connection
In Bytes Number of incoming bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)
Out Bytes Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)
Action Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)
Note: * Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports. This is not a bug since System Alert messages of a certain type (e.g., FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated (mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.

For information on saving the generated report, see Formats for Saving a Generated Report.