NSS feeds for firewall logs

Only for NSS firewall server.

A large number of filters or complex filters, such as string search, might impact the performance of the NSS.

To configure a feed for DNS logs:

Go to Administration → Nanolog Streaming Service.
On the NSS Feeds tab, click Add NSS Feed. The Add NSS Feed window appears.

On the Add NSS Feed window, enter the following information:

Field	Information
Feed Name	Enter or edit the name of the feed. Each feed is a connection between NSS and your Devo Relay.
NSS Type	Select which type of feed you are configuring. Select NSS for Firewall.
NSS Server	Choose an NSS from the list.
Status	The NSS feed is Enabled by default. Click Disabled if you want to activate it later.
SIEM Destination Type	The type of destination. Choose between: SIEM IP Address - Enter the IP address of the Devo Relay to which the logs are streamed. FQDN - (optional) Enter the destination for the TCP connection to which the logs are streamed. This allows failover from one IP to the other without manual intervention, but rather relying on updating the DNS entry. NSS will re-resolve the FQDN only when the existing connection goes down. This feature cannot be used for DNS-based load balancing.
SIEM TCP Port	Enter the port number of the Devo Relay to which the logs are streamed. If you are using the proposed TCP configuration, type 13006.
Log Type	Choose Firewall Logs.
Firewall Log Type	Choose Full Session Logs. This option will log all sessions of the rule individually, except HTTP(s).
SIEM Rate Limit (Events per Second)	Leave as unrestricted, unless you need to throttle the output stream due to licensing or other constraints. A limit that is too low for the traffic volume will cause log loss.
Feed Output Type	Choose Custom.
Feed Escape Character	Optionally, type a character that you would like to hex encode when it appears in a URL, hostname, or referer URL. For example, type a comma (,) to encode it as %2C. This is useful if you are using this character as your delimiter and would like to ensure it does not cause erroneous delimitation. If custom encoding was done for a record, the %s{eedone} field will be YES for that record.
Feed Output Format	Copy and paste the following output format: \{"time":"%s{time}","tz":"%s{tz}","ss":%02d{ss},"mm":%02d{mm},"hh":%02d{hh},"dd":%02d{dd},"mth":%02d{mth},"yyyy":%04d{yyyy},"csip":"%s{csip}","csport":%d{csport},"cdip":"%s{cdip}","cdport":%d{cdport},"tsip":"%s{tsip}","tsport":%d{tsport},"location":"%s{location}","ttype":"%s{ttype}","threatcat":"%s{threatcat}","threatname":"%s{threatname}","ipsrulelabel":"%s{ipsrulelabel}","sdport":%d{sdport},"sdip":"%s{sdip}","ssip":"%s{ssip}","ssport":%d{ssport},"ipcat":"%s{ipcat}","avgduration":%d{avgduration},"duration":%d{duration},"durationms":%d{durationms},"numsessions":%d{numsessions},"rulelabel":"%s{rulelabel}","action":"%s{action}","dnat":"%s{dnat}","recordid":%d{recordid},"inbytes":"%ld{inbytes}","outbytes":"%ld{outbytes}","nwapp":"%s{nwapp}","ipproto":"%s{ipproto}","destcountry":"%s{destcountry}","nwsvc":"%s{nwsvc}","login":"%s{login}","dept":"%s{dept}","devicehostname":"%s{devicehostname}","devicemodel":"%s{devicemodel}","devicename":"%s{devicename}","deviceostype":"%s{deviceostype}","deviceosversion":"%s{deviceosversion}","deviceowner":"%s{deviceowner}","deviceappversion":"%s{deviceappversion}","ztunnelversion":"%s{ztunnelversion}"\}\n
User Obfuscation	You can enable user obfuscation. When you do, it displays a random string instead of the user names. If this is enabled, the login field in Feed Format Output automatically changes to ologin field, which outputs the obfuscated login name. Choose Disable to display the user names.
Timezone	By default, this is set to the organization's time zone. The time zone you set applies to the time field in the output file. The time zone automatically adjusts to changes in daylight savings in the specific time zone. The configured time zone can be output to the logs as a separate field. The list of time zones is derived from the IANA Time Zone Database. Direct GMT offsets can also be specified.
Duplicate Logs	To ensure that no logs are skipped during any downtime, specify the number of minutes that NSS will send duplicate logs.

Click Save and activate the change.

Available filters

Action

DNAT Policy Action: Use this filter to limit the logs to traffic on which the service performed destination NAT and redirected traffic to specific IP addresses and optionally, ports.
DNAT Destination Name: Use this filter to limit the logs to traffic that was redirected to specific FQDNs after the service performed destination NAT. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
Firewall & IPS Policy Actions: Use this filter to limit the logs based on the action the service took, in accordance with the firewall filtering and IPS policies. You can choose multiple actions:
- Allow: Packets that were allowed through the firewall or IPS due to policy.
- Block/Drop: Packets that were silently dropped due to firewall policy.
- Block/ICMP: Packets that were dropped because they matched a firewall rule and sent the client an ICMP error message of Type 3 (Destination Unreachable) and code 9 or 10 (network/host administratively prohibited).
- Block/Reset: For TCP traffic, the Zscaler service drops all packets that match the firewall rule and sent the client a TCP reset. (A TCP packet with the reset (RST) flag is set to 1 in the TCP header, indicating that the TCP connection must be instantly stopped.) For non-TCP traffic, it's the same as Block/Drop.
- IPS Drop: Packets that were silently dropped due to IPS policy.
- IPS Reset: Packets that were reset due to IPS policy.
Firewall Filtering Rule Name: Use this filter to limit the logs based on specific rules in your firewall policies. Choose the rules from the list.
IPS Rule Name: Use this filter to limit the logs based on specific rules in your IPS policies. Choose the rules from the list.
Who
- Users: Use this filter to limit the logs to specific users who generated transactions. To use the Search function, enter either the user name or email address in the Search box and click Search. There is no limit on the number of users that you can select. Users that are deleted after they are selected appear with a strikethrough line.
- Departments: Use this filter to limit the logs to specific departments that generated transactions. To use the Search function, enter the department name in the Search box and click Search. There is no limit on the number of departments that you can select. Departments that are deleted after they are selected appear with a strikethrough line.
Source
- Locations: Use this filter to limit the logs to specific locations and sub-locations. To use the Search function, enter the location name in the Search box and click Search. There is no limit on the number of locations that you can select. Locations that are deleted after they are selected appear with a strikethrough line.
- Client Source IP Addresses: Use this filter to limit the logs based on a client’s private IP address. You can enter:
  - An IP address (for example, 198.51.100.100)
  - A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
  - An IP address with a netmask (for example, 203.0.113.0/24)
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Client Source Ports: Use this filter to limit the logs to specific client source ports. For aggregated sessions, this is the client source port of the last session in the aggregate. You can specify individual ports and a range of ports. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Client Destination IP Addresses: Use this filter to limit the logs to specific client destination IP addresses. For aggregated sessions, this is the client destination IP address of the last session in the aggregate. You can enter:
  - An IP address (for example, 198.51.100.100)
  - A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
  - An IP address with a netmask (for example, 203.0.113.0/24)
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Client Destination Ports: Use this filter to limit the logs to specific client destination ports. For aggregated sessions, this is the client destination port of the last session in the aggregate. You can specify individual ports and a range of ports. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Client Public IP Addresses: Use this filter to limit the logs based on a client’s public IP address. The internal IP address is available if traffic forwarding is forwarded to the service through a GRE tunnel or from the XFF header. If the internal IP address is not available, the value will be the same as the client IP address. You can enter:
  - An IP address (for example, 198.51.100.100)
  - A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
  - An IP address with a netmask (for example, 203.0.113.0/24)
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Traffic Forwarding: Use this filter to limit the logs based on the traffic forwarding mechanism used to send traffic to the Zscaler firewall. Choose one or more of the listed methods or choose Any.
Server
- Server Source IP Addresses: Use this filter to limit the logs to specific server source IP addresses. You can enter:
  - An IP address (for example, 198.51.100.100)
  - A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
  - An IP address with a netmask (for example, 203.0.113.0/24)
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Server Source Ports: Use this filter to limit the logs to specific server source ports. For aggregated sessions, this is the server source port of the last session in the aggregate. You can specify individual ports and a range of ports. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Server Destination IP Addresses: Use this filter to limit the logs to specific server destination IP addresses. For aggregated sessions, this is the server destination IP address of the last session in the aggregate. You can enter:
  - An IP address (for example, 198.51.100.100)
  - A range of IP addresses (for example, 192.0.2.1-192.0.2.10)
  - An IP address with a netmask (for example, 203.0.113.0/24)
You can enter multiple entries. Hit Enter after each entry, then click Add Items. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Server Destination Port: Use this filter to limit the logs to specific server destination ports. For aggregated sessions, this is the server destination port of the last session in the aggregate. You can specify individual ports and a range of ports. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Tunnel IP Addresses: Tunnel IP address of the server. For aggregated sessions, this is the server's tunnel IP address corresponding to the last session in the aggregate. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Server IP Classes: URL class that corresponds to the server IP address.
- Server IP Super Categories: URL super category that corresponds to the server IP address.
- Server IP Categories: URL category that corresponds to the server IP address.
- Countries: Country code that corresponds to the server IP address.
Session
- Inbound Bytes: Use this filter to limit the logs based on the number of bytes sent from the server to the client. For aggregated sessions, this is the total bytes sent from the server across all sessions in the aggregate. You can specify numbers or ranges. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Outbound Bytes: Use this filter to limit the logs based on the number of bytes received by the server. For aggregated sessions, this is the total bytes received by the server across all sessions in the aggregate. You can specify numbers or ranges. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Durations: Use this filter to limit the logs based on the duration of the sessions, in seconds. For aggregated sessions, this indicates the average session duration. You can specify numbers or ranges. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Number of Sessions: For aggregated logs, you can filter by the number of sessions. You can specify numbers or ranges. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
Protocol Classification
- Network Applications: Use this filter to limit the logs to specific network applications associated with the session or aggregated sessions.
- Network Services: Use this filter to limit the logs to specific network services associated with the session or aggregated sessions.
Security
- Threat Name: Use this filter to limit the logs to specific threat names. You can specify the threats.
  - Use the guidelines:
    - *string -> Suffix matching match threat names ending with ‘string’
    - String* -> Prefix matching match threat names beginning with ‘string’
    - *string* -> Substring matching match threat names containing ‘string’
    - String -> Exact matching match threat names that are exactly ‘string’
Multiple strings are allowed. Enter one string per line. String search is not case-sensitive. For item lists, you can view up to 500 items on a page; filter the list by searching for a word, phrase, or number contained in an item; and remove all items from the list (Remove All) or only items from a specific page (Remove Page). If you select Remove All or Remove Page, a confirmation window will appear.
- Threat Category: Use this filter to limit the logs to specific threat categories. Choose the categories from the list.