# Copyright (c) 2010 Flowerfire, Inc. All Rights Reserved. firewall1_ng = { plugin_version = "2.3" info.1.manufacturer = "Checkpoint" info.1.device = "Firewall-1 NG (text export)" info.1.version.1 = "NG (text export)" # 2007-01-18 - GMF - 2.0 - Added support for many more fields, and for "Number" "Status" headers. # 2008-10-22 - GMF - 2.1 - Added tracking of geographic fields # 2009-03-18 - gas - 2.2 - added support for duration field of "19:05:25", conversion to seconds # 2010-10-04 - 2.3 - MSG - Edited info lines. # The name of the log format log.format.format_label = "Firewall-1 NG (text export) Log Format" log.miscellaneous.log_data_type = "firewall1_ng" log.miscellaneous.log_format_type = "firewall" # The log is in this format if any of the first ten lines match this regular expression log.format.autodetect_expression = ` matches_regular_expression(volatile.log_data_line, '^"Number" "Date" "Time"') or matches_regular_expression(volatile.log_data_line, '^"Number" "Status" "Date" "Time"') ` # The format of dates and times in this log log.format.date_format = "ddmmmyyyy" log.format.time_format = "h:m:s" # Don't track these fields as discrete database fields auto_setup.omit_database_fields = "Number" # Entries are called accesses statistics.miscellaneous.entry_name = "accesses" # Log fields log.fields = { resource = { label = "$lang_stats.field_labels.resource" type = "page" index = 0 subindex = 0 hierarchy_dividers = "/?" left_to_right = true leading_divider = "true" } # resource source_for_geoip.type = "host" } # log.fields # Database fields database.fields = { resource = { label = "$lang_stats.field_labels.resource" log_field = "resource" type = "string" suppress_top = 0 suppress_bottom = 9 } # resource location = "" organization = "" isp = "" domain = "" } # database.fields # Copy source to source_for_geoip, so it keeps type="host" log.parsing_filters.0 = "source_for_geoip = source;" # Support hh:mm:ss format for duration (and also support format in seconds, by default) log.parsing_filters.1 = { value = `if (matches_regular_expression(elapsed, '^([0-9]+):([0-9]+):([0-9]+)$')) then elapsed = $1*60*60 + $2*60 + $3; ` requires_fields = { elapsed = true } } # Log Filters log.filters = { 1 = { label = "1" comment = "" value = "if (starts_with(information, 'resource:')) then (if (matches_regular_expression(information, '^resource: (.*);')) then resource = information; information = '';)" requires_fields = { information = true } } # 1 remove_query = { label = "$lang_admin.log_filters.remove_query_label" comment = "$lang_admin.log_filters.remove_query_comment" value = "if (contains(resource, '?')) then resource = substr(resource, 0, index(resource, '?') + 1) . '(parameters)';" requires_fields = { resource = true } } # remove_query detect_page_views = { label = '$lang_admin.log_filters.detect_page_views_label' comment = '$lang_admin.log_filters.detect_page_views_comment' value = "if ((file_type eq 'JPEG') or (file_type eq 'JPG') or (file_type eq 'GIF') or (file_type eq 'ICO') or (file_type eq 'PNG') or (file_type eq 'CSS') or (file_type eq 'SWF') or (file_type eq 'JS')) then page_views = 0; else page_views = 1;" requires_fields = { file_type = true } } # detect_page_views simplify_url = { label = "$lang_admin.log_filters.simplify_url_label" comment = "$lang_admin.log_filters.simplify_url_comment" value = "if (matches_regular_expression(resource, '^([^:]+://[^/]+/)')) then resource = $1 . '(omitted)'" } # simplify_url strip_non_page_views = { label = '$lang_admin.log_filters.strip_non_page_views_label' comment = '$lang_admin.log_filters.strip_non_page_views_comment' value = "if (page_views == 0) then resource = substr(resource, 0, last_index(resource, '/') + 1) . '(nonpage)';" requires_fields = { resource = true } } # strip_non_page_views mark_entry = { label = '$lang_admin.log_filters.mark_entry_label' comment = '$lang_admin.log_filters.mark_entry_comment' value = 'accesses = 1;' } # mark_entry } # log.filters log.field_options = { sessions_page_field = "resource" sessions_visitor_id_field = "source" sessions_event_field = "page_views" } # log.field_options database.numerical_fields = { accesses = { label = "$lang_stats.field_labels.accesses" default = false requires_log_field = false type = "int" display_format_type = "integer" entries_field = true } # accesses page_views = { label = "$lang_stats.field_labels.page_views" default = true requires_log_field = false type = "int" display_format_type = "integer" } # page_views unique_sources = { label = "$lang_stats.field_labels.unique_sources" default = false requires_log_field = true log_field = "source" type = "unique" display_format_type = "integer" } # unique_sources bytes = { type = "float" display_format_type = "bandwidth" } # bytes packets = "" elapsed = { type = "float" display_format_type = "duration_compact" } # elapsed client_inbound_bytes = { type = "float" display_format_type = "bandwidth" } # client_inbound_bytes client_outbound_bytes = { type = "float" display_format_type = "bandwidth" } # client_outbound_bytes server_inbound_bytes = { type = "float" display_format_type = "integer" } # server_inbound_bytes server_outbound_bytes = { type = "float" display_format_type = "bandwidth" } # server_outbound_bytes client_inbound_packets = "" client_outbound_packets = "" server_inbound_packets = "" server_outbound_packets = "" client_inbound_diffserv = "" client_outbound_diffserv = "" server_inbound_diffserv = "" server_outbound_diffserv = "" wire_byte_sec_out = { type = "float" display_format_type = "bandwidth" aggregation_type = "average" average_denominator_field = "accesses" } # wire_byte_sec_out wire_byte_sec_in = { type = "float" display_format_type = "bandwidth" aggregation_type = "average" average_denominator_field = "accesses" } # wire_byte_sec_in wire_packet_sec_out = { aggregation_type = "average" average_denominator_field = "accesses" } # wire_packet_sec_out wire_packet_sec_in = { aggregation_type = "average" average_denominator_field = "accesses" } # wire_packet_sec_in application_byte_sec_out = { type = "float" display_format_type = "bandwidth" aggregation_type = "average" average_denominator_field = "accesses" } # application_byte_sec_out application_byte_sec_in = { type = "float" display_format_type = "bandwidth" aggregation_type = "average" average_denominator_field = "accesses" } # application_byte_sec_in application_packet_sec_out = { aggregation_type = "average" average_denominator_field = "accesses" } # application_packet_sec_out application_packet_sec_in = { aggregation_type = "average" average_denominator_field = "accesses" } # application_packet_sec_in } # database.numerical_fields create_profile_wizard_options = { # How the reports should be grouped in the report menu report_groups = { date_time_group = "" source_group = { source_port = true user = true source = true origin = true location = true organization = true isp = true domain = true } # source_group content_group = { url = true } other_group = { destination = true resource = true product = true interface = true type = true action = true service = true protocol = true rule = true information = true status = true # date = true # time = true # product = true # interface = true # origin = true # type = true # action = true # service = true # source = true # destination = true # protocol = true # rule = true nat_rule_number = true nat_additional_rule_number = true ipv6_source = true ipv6_destination = true # source_port = true # user = true source_key_id = true destination_key_id = true attack_name = true source_ip_phone = true destination_ip_phone = true media_type = true registered_ip_phones = true # elapsed = true # bytes = true xlatesrc = true xlatedst = true xlatesport = true xlatedport = true client_inbound_interface = true client_outbound_interface = true server_inbound_interface = true client_in_rule_match = true client_out_rule_match = true server_in_rule_match = true server_out_rule_match = true sub_service = true encryption_scheme = true vpn_peer_gateway = true ike_initiator_cookie = true ike_responder_cookie = true ike_phase2_message_id = true encryption_methods = true partner = true community = true source_gateway = true destination_gateway = true estimation = true bw_loss = true rtt__ms = true cir__bps = true bw_loss_threshold = true rtt_threshold__ms = true cir_threshold__bps = true sla_violation = true virtual_link = true sample_id = true # packets = true start_time = true session_id = true ua_session_id = true display_name = true id_source = true # url = true operation = true encryption_type = true end_to_end_encryption = true sso_type = true application_name = true auth_domain = true users_ip = true redirect_url = true headers_inserted_removed = true ua_auth_result = true request_result = true redirection_destination = true comment = true gtp_version = true gtp_message_type = true tunnel_id = true teid_sig_up = true teid_sig_down = true mobile_country_code = true mobile_network_code = true ms_identification_number = true ms_isdn = TRUE apn = TRUE end_user_ip_address = true sgsn_for_signal = true sgsn_for_traffic = true ggsn_for_signal = true ggsn_for_traffic = true selection_mode = true nsapi = TRUE linked_nsapi = true # information = true reject_id = true attack_information = true rule_uid = true rule_name = true current_rule_number = true subproduct = true vpn_feature = true category = true access = true user_group = true application = true outgoing_url = true authentication_method = true malware_name = true malware_type = true fs_protocol = true authentication_status = true description = true anti_virus = true end_user_firewall = true isb = TRUE ics_scan = true endpoint_id = true user_name = true domain = true policy = true version = true event_type = true user_directory = true # user_group = true file_direction = true scanned_file_name = true scan_result = true virus_name = true file_origin = true update_status = true signature_version = true update_source = true subscription_expiration = true file_type = true end_user_ipv6_address = true radio_access_type = true mobile_user_location = true mobile_subscriber_time_zone = true international_mobile_equipment_identifier = true } # other_group } # report_groups } # create_profile_wizard_options auto_setup.omit_database_fields = "number" not_supported = { bandwidth = true } # not_supported } # firewall1_ng