icon-zia.svg
Secure Internet and SaaS Access (ZIA)

NSS Feed Output Format: Firewall Logs

The Firewall Nanolog Streaming Service (NSS) feed specifies the data from the Firewall logs that the NSS sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

  • "Mon Jun 20 15:35:48 2022","new-gre","Default Department","new-gre","80","36084","80","0","172.17.3.49","216.113.179.53","0.0.0.0","216.113.179.53","10.66.89.115","0","GRE","Drop","No","Yes","No","HTTP","ebay","TCP","Online Shopping","United States","21","Firewall_1","14693","548","0","21","1","None","None","None","NA","NA"
    Close

For the Standard Firewall subscription, allowed sessions are logged in aggregate form, resulting in fewer logs for the allowed transactions. Blocked transactions have detailed logs and produce a log for every blocked session.

If you want detailed logging for all sessions, including blocked and allowed transactions, you must have the Advanced Firewall subscription. However, detailed logging for DNS transactions is available with both Standard and Advanced Firewall subscriptions. To learn more, see Understanding Firewall Capabilities.

Logs are aggregated for each of the following fields within a 15-minute time window: User, Rule Slot, Network Service, Network Application, and IP Category. For consecutive sessions with the same values across these fields, Zscaler only records a single log, in which the remaining fields are taken from the last session in the 15-minute time window.

The following tables display information about the Firewall fields and possible values for those fields.

Fields that support obfuscation are documented in the following tables with the prefix o (e.g., %d{ocsip}). To obfuscate a field, manually add the prefix o before the field name in the Feed Output Format in the ZIA Admin Portal.

Date/Time

FieldDescriptionExample
%s{time}The time and date of the transaction. This excludes the time zone.Mon Oct 16 22:55:48 2023
%s{tz}The time zone. This is the same as the time zone you specified when you configured the NSS feed.GMT
%02d{ss}Seconds (0–59)48
%02d{mm}Minutes (0–59)55
%02d{hh}Hours (0–23)22
%02d{dd}The day of the month (1–31)16
%02d{mth}The month of the year10
%04d{yyyy}Year2023
%s{mon}The name of the monthOct
%s{day}The day of the weekMon
%d{epochtime}The epoch time of the transaction1578128400

Client Information

FieldDescriptionExample
%s{csip}The client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate.192.0.2.10, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{ocsip}The obfuscated version of the client source IP address9960223283
%d{csport}The client source port. For aggregated sessions, this is the client source port of the last session in the aggregate.22
%s{cdip}The client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.198.51.100.54, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{cdport}The client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate.22
%s{cdfqdn}The client destination FDQN (e.g., the HTTP host header)www.example.com
%s{tsip}The tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate.192.0.2.15
%s{location}The name of the location from which the session was initiatedHeadquarters
%s{ttype}The traffic forwarding method used to send the traffic to the FirewallL2 tunnel
%s{aggregate}Indicates whether the Firewall session is aggregatedYes
%s{srcip_country}The traffic's source country, which is determined by the client IP address location. There is no source country value in logs for aggregated sessions that are allowed.United States

IPS

FieldDescriptionExample
%s{threatcat}The category of the threat in the Firewall session by the IPS engine
  • Botnet Callback
  • Denial of Service attack
  • Malicious Content
%s{threatname}The name of the threat detected in the Firewall session by the IPS engine
  • Linux.Backdoor.Tsunami
  • Win32.Trojan.DNSpionage
%d{threat_score}The score of the threat detected in the Firewall session by the IPS engine. The score is assigned to the threat by Zscaler ThreatLabz and reflected in the Zscaler Threat Library. The score ranges from 0–100, from the least to the greatest threat.10
%s{threat_severity}The severity of the threat detected in the Firewall session by the IPS engine. The severity relates directly to the threat score. For example, if the value of %d{threat_score} is between 90 and 100, then the value of %s{threatseverity} is Critical.
  • Critical (90–100)
  • High (75–89)
  • Medium (46–74)
  • Low (1–45)
  • None (0)

%s{ipsrulelabel}The name of the IPS policy that was applied to the Firewall sessionDefault IPS Rule
%s{oipsrulelabel}The obfuscated version of the name of the IPS policy that was applied to the Firewall session6200694987
%d{ips_custom_signature}Indicates if a custom IPS signature rule was applied. It is a numeric value (1 or 0).
  • 1 indicates a custom IPS rule
  • 0 indicates a non-custom IPS rule

Server Information

FieldDescriptionExample
%d{sdport}The server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate.443
%s{sdip}The server destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate.198.51.100.100, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%s{ssip}The server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.198.51.100.100, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{ssport}The server source port. For aggregated sessions, this is the server source port of the last session in the aggregate.22
%s{ipcat}The URL category that corresponds to the server IP addressFinance
%s{oipcat}The obfuscated version of the URL category that corresponds to the server IP address5300295980

Session Information

FieldDescriptionExample
%d{avgduration}The average session duration, in milliseconds, if the sessions were aggregated600,000
%d{duration}The session or request duration in seconds600
%d{durationms}The session or request duration in milliseconds600,000
%d{numsessions}The number of sessions that were aggregated5
%s{stateful}Indicates if the Firewall session is statefulYes

Transaction Action

FieldDescriptionExample
%s{rulelabel}The name of the rule that was applied to the transactionDefault Firewall Filtering Rule
%s{orulelabel}The obfuscated version of the name of the rule that was applied to the transaction0624054738
%s{action}The action that the service took on the transaction: Allowed or BlockedBlocked
%s{dnat}Indicates if the destination NAT policy was appliedYes
%s{dnatrulelabel}The name of the destination NAT policy that was applied
  • DNAT_Rule_1
  • Any name under the Rule Name column on the Firewall Control page (Policy > Firewall Control > NAT Control Policy)
%s{odnatrulelabel}The obfuscated version of the name of the destination NAT policy that was applied7956407282

Transaction Information

FieldDescriptionExample
%d{recordid}The record ID
%s{pcapid}The path of the packet capture (PCAP) file that captured the transaction. The PCAP ID has the following format: <Company ID>/<Directory>/<PCAP File Name>. The company ID is the internal ID of an organization and can be found on the Company Profile page. The directory is the log type. To download the PCAP file, go to the Capture column on the Firewall Insights Logs page.43139974/fw/663ba8fd30b50001.pcap
%ld{inbytes}The number of bytes sent from the server to the client10000
%ld{outbytes}The number of bytes sent from the client to the server10000
%s{nwapp}The network application that was accessedSkype
%s{ipproto}The type of IP protocolTCP
%s{destcountry}The abbreviated code of the country of the destination IP addressUSA
%s{nwsvc}The network service that was usedHTTP
%s{eedone}Indicates if the characters specified in the Feed Escape Character field of the NSS feed configuration page were hex encodedYes

User Information

FieldDescriptionExample
%s{login}The user's login name in email address formatjdoe@safemarch.com
%s{dept}The department of the userSales

Zscaler Client Connector Device Information

FieldDescriptionExample
%s{devicehostname}The hostname of the deviceTHINKPADSMITH
%s{odevicehostname}The obfuscated version of the hostname of the device. This field must be changed manually.2168890624
%s{devicemodel}The model of the device20L8S7WC08
%s{devicename}The name of the deviceadmin
%s{odevicename}The obfuscated version of the name of the device. This field must be changed manually.2175092224
%s{deviceostype}The OS type of the device
  • iOS
  • Android OS
  • Windows OS
  • MAC OS
  • Other OS
%s{deviceosversion}The OS version that the device usesVersion 10.14.2 (Build 18C54)
%s{deviceowner}The owner of the devicejsmith
%s{odeviceowner}The obfuscated version of the owner of the device. This field must be changed manually.10831489
%s{deviceappversion}The app version that the device app uses2.0.0.120
%s{external_deviceid}The external device ID that associates a user’s device with the mobile device management (MDM) solution1234
%s{ztunnelversion}The Z-Tunnel versionZTUNNEL_1_0
%d{bypassed_session}Indicates whether the traffic bypassed the Zscaler Client Connector. It is a numeric value (1 or 0).
  • 1 indicates that the traffic bypassed Zscaler Client Connector
  • 0 indicates that the traffic did not bypass Zscaler Client Connector
%s{bypass_etime}The date and time when the traffic bypassed the Zscaler Client ConnectorMon Oct 16 22:55:48 2023
%s{flow_type}The flow type of the transaction
  • Direct
  • Loopback
  • VPN
  • VPN Tunnel
  • ZIA
  • ZPA

Data Center

FieldDescriptionExample
%s{datacenter}The name of the data centerCA Client Node DC
%s{datacentercity}The city where the data center is locatedSa
%s{datacentercountry}The country where the data center is locatedUS

Miscellaneous

FieldDescriptionExample
%s{rdr_rulename}The name of the redirect/forwarding policy
  • FWD_Rule_1
  • Any name under the Rule Name column on the Forwarding Control page (Policy > Forwarding Control)
%s{ordr_rulename}The obfuscated version of the name of the redirect/forwarding policy3399565100
%s{fwd_gw_name}The name of the gateway defined in a forwarding ruleFWD_1
%s{ofwd_gw_name}The obfuscated version of the gateway defined in a forwarding rule8794487099
%s{zpa_app_seg_name}The name of the Zscaler Private Access (ZPA) application segmentZPA_test_app_segment
%s{ozpa_app_seg_name}The obfuscated version of the ZPA application segment7648246731

Hex-Encoded Fields

The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends logs to the NSS. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM can parse the URLs that contain control characters. For example, a \n character in a URL is encoded as %0A, and a space is encoded as %20.

The following fields have been added as hex-encoded fields:

  • ethreatname
  • elocation
  • edepartment
  • erulelabel
  • elogin
  • edevicehostname
Related Articles
General Guidelines for NSS Feeds and Feed FormatsNSS Feed Output Format: Web LogsNSS Feed Output Format: Firewall LogsNSS Feed Output Format: DNS LogsNSS Feed Output Format: Tunnel LogsNSS Feed Output Format: SaaS Security LogsNSS Feed Output Format: SaaS Security Activity LogsNSS Feed Output Format: Admin Audit LogsNSS Feed Output Format: Endpoint DLP LogsNSS Feed Output Format: Email DLP Logs