Document toolboxDocument toolbox

firewall.sangfor

Introduction

The tags beginning with firewall.sangfor identify events generated by Sangfor Technologies.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as firewall.sangfor. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Sangfor Application Control

firewall.sangfor.app_control.event

firewall.sangfor.app_control.event

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Sangfor Technologies must be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rule below:

  • Source port - Any available port

  • Source data - (fwlog: Log type: (service\/)?[a|A]pplication [c|C]ontrol.*)

  • Target tag - firewall.sangfor.app_control.event

  • Target message - D1

  • Stop processing - ✓

No 3rd-party mechanism is used. No collector is needed.

Vendor docs

Learn more about how to configure this vendor events here.

Table structure

These are the fields displayed in this table:

firewall.sangfor.app_control.event

Field

Type

Extra fields

Field

Type

Extra fields

eventdate

timestamp

 

machine

str

 

log_type

str

 

policy_name

str

 

user

str

 

source_ip4

ip4

 

source_ip6

ip6

 

source_port

str

 

destination_ip4

ip4

 

destination_ip6

ip6

 

destination_port

str

 

app_category

str

 

application

str

 

action

str

 

hostchain

str

 ✓

tag

str

 ✓

rawMessage

str

 ✓