I want to report on which clients are hitting firewall layer 3 deny rules.
Any idea if layer 3 firewall deny rule hits are accessible via API? I've had a look around but don't see anything.
It looks like they aren't in Dashboard itself other than the basic live rule hit counts on the firewall config page, but that doesn't identify the client(s).
Seems the only way might be activating logging on L3 deny rules to get them via syslog (or maybe netflow) but that means setting up extra services just for this info.
The available event types on an MX network that are blocking-related cover NBAR L7, content filtering and AMP, but don't include L3, same as the network event log categories...
{
"category": "Network-Based Application Recognition",
"type": "nbar_block",
"description": "Layer 7 firewall rule"
},
{
"category": "Filtering",
"type": "cf_block",
"description": "Content filtering blocked URL"
},
{
"category": "Filtering",
"type": "sf_url_block",
"description": "Security blocked URL"
},
{
"category": "Filtering",
"type": "sf_binary_block",
"description": "Security blocked file"
},
{
"category": "Intrusion Detection",
"type": "ids_start",
"description": "Intrusion detection started"
},
{
"category": "Intrusion Detection",
"type": "ids_error",
"description": "Intrusion detection error"
},
{
"category": "Intrusion Detection",
"type": "ids_update",
"description": "Intrusion detection rules update"
}
I guess instead I could configure L7 rules on IP and/or port instead of L3 rules, in cases where it is a blanket rule rather than one on a subset of internal IP(s)/port(s).
Based on the diagram from documents, the L7 processing happens anyway, so presumably there's not a performance hit on traffic.
Any other ideas?