Firewall Log Analysis

Firewall logs record traffic decisions—what was allowed, what was blocked, and when. Effective log analysis reveals attacks, policy violations, and configuration issues.

Log Contents

Firewall logs typically include:

• Timestamp - When the traffic occurred


• Source/Destination - IP addresses and ports


• Action - Allowed or denied


• Rule matched - Which rule determined the action


• Bytes/Packets - Traffic volume


• Application - Identified application (on NGFW)

Detecting Attacks

Scanning activity - Denied connections from one source to many destinations or ports indicates scanning. Block and investigate the source.

Brute force attempts - Repeated denied connections to authentication services suggest credential attacks.

Outbound to known-bad - Connections to threat intelligence indicators reveal compromised internal systems attempting C2 communication.

Policy violations - Allowed traffic violating expected patterns. Server initiating outbound connections when it should receive connections only.

Analysis Techniques

Top talkers - Identify sources and destinations with highest traffic. Unusual entries warrant investigation.

Denied traffic analysis - What is being blocked? Expected blocks from policy enforcement? Unexpected blocks affecting business?

Temporal analysis - Traffic patterns by hour, day, week. Activity outside business hours might indicate attack or misconfiguration.

New destinations - First contacts with destinations never seen before. Novel external communication deserves attention.

SIEM Integration

Forward firewall logs to SIEM for correlation:

Enrichment - Add asset information, threat intelligence, and geographic data to firewall events.

Correlation - Match firewall events with endpoint alerts, authentication logs, and other sources.

Alerting - Create rules detecting concerning patterns: connections to new high-risk countries, denied access followed by allowed access, volume anomalies.

Retention - SIEM typically retains logs longer than firewall internal storage. Enable historical investigation.

Operational Value

Beyond security, logs support:

Troubleshooting - Verify traffic reaches intended destinations. Identify blocking rules affecting new applications.

Capacity planning - Traffic trends inform network and security infrastructure sizing.

Compliance - Evidence of policy enforcement for regulatory requirements.