Viewing Firewall Logs

The Zscaler service provides real-time log consolidation across the globe, so you can view every transaction performed by your users regardless of where they are in the world. From the firewall logs, you can view details such as the rule that was applied, the client and server details, and the network services and applications.

Note: Interactive reports support UTF-8 characters enabling the display of special characters.

To view firewall logs, do the following from a firewall dashboard or report.

  • To immediately view logs for a certain item or segment in a firewall dashboard or report:
    1. Click that item or segment in a firewall chart.
    2. Select View Logs.
  • To narrow down the scope of data and drill down to the logs:
    1. Click an item in a firewall chart.
    2. Select Analyze Chart.
      The chart appears in the Firewall Insights window where you can apply filters and other settings to get to specific transactions.
    3. Click Logs from the left pane of the Firewall Insights window.

The Firewall Insights window displays the settings on the left pane and logs on the right pane.

To learn how long Zscaler stores your logs, see How long does Zscaler stores my logs?

  1. Go back to a dashboard or report.
  2. Go back to the Firewall Insights window.
  3. View firewall logs.
  4. Click, after changing the time frame or filters, to list the filtered list of transactions.
  5. Choose a predefined time frame or select Custom to use the calendar and time menus to define your own time frame. Note that you can set the time by hour, minutes, and seconds, if you need a more granular time frame.
    If you change the time frame, you must always click Apply Filters to list the filtered list of transactions.
  6. Apply filters to narrow down the list or to find transactions, such as those associated with a specific user or URL.
    If you change the filters, you must always click Apply Filters to list the filtered list of transactions.
  7. View the transactions listed in the firewall log. The right pane lists up to 100 transactions at a time. Scroll down and click LOAD MORE at the bottom of the window to view the next group of up to 100 transactions.
  8. Export the list of transactions to a CSV file. The service exports only the columns that are visible. It exports up to 100,000 lines of data at a time. You can continue to use the service while the export is in progress.
  9. Print the list of transactions.
  10. Customize the logs as follows:
  • Click the icon on the top right of the logs to list the available fields for display. Tick a box to add a column or clear it to remove a column. Alternatively, click Select all or Deselect all to display or remove all columns.
  • Drag a column to another location.
  • Resize a column by positioning the cursor on its border and dragging it to the desired width.

The settings are stored as a web cookie on your computer. They are retained as long as the cookie is not deleted. To see a table that lists the fields that you can view in the logs, click see table. 

  1. View the Weblog time, which appears at the bottom of every window. The Nanolog servers collect the logs of all users worldwide, and then consolidates and correlates them. The Weblog time displays the date and time of the logs that are being processed by the Nanolog servers.

Screenshot of the Zscaler Firewall Logs page and tasks

Column Descrption

Action

Firewall filtering action that was performed on the session or aggregated sessions.

Aggregated Session

Indicates if sessions were aggregated into this log entry.

Client Destination IP

Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.

Client Destination Name

Client destination FQDN. For aggregated sessions, this is the client destination FQDN of the last session in the aggregate. (Available with advanced firewall subscription.)

Client Destination Port

Client side destination IP address. For aggregated sessions, this is the Client destination port of the last session in the aggregate.

Client Source IP

Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate.

Client Source Port

Client side source port. For aggregated sessions, this is the Client source port of the last session in the aggregate.

Client Tunnel IP

Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate.

Client Tunnel Port

Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate.

Department

Department of the user.

DNAT Destination Name

DNAT FQDN. For aggregated sessions, this is the DNAT FQDN of the last session in the aggregate. (Available with advanced firewall subscription.)

Inbound Bytes

Number of bytes sent from the server to the client. For aggregated sessions, this is the total bytes sent from the server across all sessions in the aggregate.

Location

Name of the location from which the session was initiated.

NAT Action

NAT action that was performed on this session.

Network Application

Network application associated with the session or aggregated sessions.

Network Protocol

IP Network Protocol

Network Service

Network service associated with the session or aggregated sessions.

Outbound Bytes

Number of bytes received by the server. For aggregated sessions, this is the total bytes received by the server across all sessions in the aggregate.

Recorded Session Time

Number of sessions aggregated into this log entry.

Rule Name

Name of the rule that triggered on the session or aggregated sessions.

Server Country Code

Country code corresponding to the server IP.

Server Destination IP

Server destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate.

Server Destination Port

Server side destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate.

Server IP Category

URL category that corresponds to the server IP.

Server Source IP

Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.

Server Source Port

Server side source port. For aggregated sessions, this is the server source port of the last session in the aggregate.

Session Duration

Duration of the session in milliseconds. For aggregated sessions, this indicates the sum of individual session durations.

Traffic Forwarding

Type of traffic forwarding mechanism for this session. For aggregated sessions, this is the traffic forwarding type of the last session in the aggregate.

User

User name. If this is blank, then location based authentication is set.