Somewhere, I found this grid that machines Firewall Rule IDs (from the Firewall and ATP logs) to a description, but I cannot remember where.
After reviewing my log data, I realize that I am missing descriptions for at least these IDs: 1,12,17,18,60023,63001
(63001 is associated with ATP, not Firewall Rules.)
Does anyone have the rest of the list?
Here is what I have so far, in CSV format
fwrule,IptablesChain,Description,Target
60001,filter:INPUT,Input Default Drop,LOGDROP
60002,filter:FORWARD,Forward Default Drop,LOGDROP
60003,fitler:OUTPUT,Output Default Drop,LOGDROP
60004,filter:AUTO_INPUT,Forbidden SSH connects,LOGDROP
60005,filter:AUTO_INPUT,Forbidden WebAdmin Contacts,LOGDROP
60006,filter:AUTO_INPUT,Allowed WebAdmin connects,LOGACCEPT
60007,filter:INVALID_PKT,Drop invalid packets,LOGDROP
60008,filter:SPOOF_DROP,Drop spoofed packets,LOGDROP
60009,NULLfilter:STRICT_TCP_STATE,Drop packets with suspicious tcp state,LOGDROP
60010,angle:PREROUTING,Log FTP data connections,LOG
60011,mangle:PREROUTING,NULLLog DNS requests,LOG
60012,raw:PREROUTING,Drop SYN_FLOOD attempts,LOG and DROP
60013,raw:PREROUTING,Drop UDP_FLOOD attempts,LOG and DROP
60014,raw:PREROUTING,Drop ICMP_FLOOD attempts,LOG and DROP
60015,mangle:PREROUTING,ICMP invalid pkt,LOG and DROP
60016,mangle:PREROUTING,ICMP Redirect,LOG
60017,filter:PSD_ACTION,Portscan detected,LOGDROP/LOGACCEPT
60018,mangle:FORWARD,SIP call,LOG
60019,mangle:SANITYCHECK,License Usage Exceeded (Active IPs),LOG and DROP
60020,mangle:FORWARD,H323 call,LOG
60021,"nat:USR_PRE, USR_POST or USR_OUTPUT",Connection using NAT,LOG
Also, I am seeing these relationships between ITMIDs and FWRULEIDs. The data makes more sense when the two codes are seen together. For example, an IP blocked by Country Blocking hits firewall rule 60019. There is not really a licensing problem.
Itmid,ItmName,itmfwrule,description
2001,Packet dropped,12,
2001,Packet dropped,60001,Input Default Drop
2001,Packet dropped,60005,Forbidden WebAdmin Contacts
2001,Packet dropped,60023,
2001,Packet dropped,60003,Output Default Drop
2002,Packet accepted,17,
2002,Packet accepted,18,
2003,Packet rejected,17,
2009,ICMP redirect,60016,ICMP Redirect
2017,AFC Alert,1,
2021,Packet dropped (GEOIP),60019,License Usage Exceeded (Active IPs)
2022,Packet dropped (ATP),63001,
This thread was automatically locked due to age.