SIEM logging fields for standard FW vs Cloud Firewall


(Larry Karantzios) #1

Need clarification on logs to SIEM from Standard FW vs Advanced FW SIEM logs. https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs … If a customer with Standard FW purchases Z-LOGFEED will they see the same logs going to the SIEM as listed in the URL https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs as a customer which purchased Adv FW with NSS logging? I know they are different Dashboards available for cloud apps and FTP with the Adv FW license but I am curious to see if the SIEM fields are the same. Also, do logs still update hourly if Z-LOGFEED is purchased or are logs streamed in near real time as opposed to every hour?


(Lidor Pergament) #2

The fields remain the same. With just basic firewall (not Advanced Firewall and not Firewall Logging SKU), we aggregate firewall sessions. Sessions are aggregated by the following variables { user, rule, network service,network application, IP category}. This means that for consecutive sessions in a 15-minute window with the same values across these fields, we’ll record only a single log record in which the remaining 10+ fields will be taken from the last session in the window.


(Larry Karantzios) #3

Lidor,

Thanks for the update. If they do purchase adv firewall, then all logging is per session, not aggregated every 15 minutes… correct?

Larry


(Lidor Pergament) #4

Correct, except for HTTP/S which is always aggregated (since the data is mostly available in the Web Logs)


(Larry Karantzios) #5

I am still not 100% clear on what the user will see on the SIEM for basic FW with Z-LOGFEED.

Is there a log matrix documentation showing what is seen by a SIEM?

It would be nice to have a matrix of how logging is captured based on the subscription sku’s purchased.

Here is what I think what is captured: Please add/delete additional information.

  1. Basic Firewall with no Z-LOGFEED

I think you see:
•Unified policy (5 tuple by location)

•Single console (dashboard)

•One set of logs (blocked sessions)

  1. Basic Firewall with Z-LOGFEED
  • Sessions are aggregated by the following variables { user, rule, network service,network application, IP category}. This means that for consecutive sessions in a 15-minute window with the same values across these fields, we’ll record only a single log record in which the remaining 10+ fields will be taken from the last session in the window.
  1. Adv FW with logging

Larry


(Lidor Pergament) #6

A few more notes:

  1. The schema of a firewall Log record will always be the same, regardless of the license. The available fields here: https://help.zscaler.com/zia/nss-feed-output-format-firewall-logs. It’s just that for basic firewall, all the sessions will be aggregated, so you’ll have fewer log lines.
  2. Log Streaming is available regardless of the Firewall License if you are subscribed to Z-LOGFEED.
  3. There is an open BUG in which basic FW customers don’t see the Firewall Insights or Dashboard UI (@Naresh_Kumar_PM is working on fixing that)