I'm attempting to find event logs or syslogs when traffic has been restricted due to the Layer 7 rules for country blocking. I can't seem to find them anywhere. Does anyone know where to find these or some keywords I can use to search for them in the syslogs?
Your best bet is to check syslog and search the source IP. In my logs there is l7_firewall logs that I look though. I’ve also done packet captures looking for reset flags and looked up the destinations country online.
Unfortunately I'm trying to find inbound connections being blocked rather than outbound, so I'm not sure of the source IP. Perhaps I can try to do some digging with destination and see if that turns anything up. I tried checking syslog messages for multiple variants of "l7_firewall" but found nothing. Is this a string that shows up for you in the logs themselves? Are there other keywords that can be searched for that appear in these rejections? Edit: For example, when there is an IDS event, the syslog contains the string "security_event ids_alerted". I couldn't find any documentation for what logs are generated when a GeoIP rule gets triggered. Near as I can tell, this may not even be working. For example, I just saw an IDS alert for a command injection attempt from source IP in China, which should be getting blocked by the GeoIP rule.