Auditing Access Policy Decisions
One of the main uses for the system message log is to audit access policy decisions. Each time a user request
matches a policy rule, the appliance writes an entry to the message text field (the last field in the message log)
explaining the action taken.
A sample message for an access policy decision looks like this:
[09/Nov/2016:02:45:32.282637 +0000] E-Class SRASSLVPN 002421 ps 100004b3 Info EWACL User
'(192.168.136.70 (Dominique Daba)@(Students)' connecting from '192.168.136.70:37975' matched
rule 'accessRule(AV1091719670706:preauth access rule)', access to '127.0.0.1:455' is
For each connection request that matches a rule, a log message is generated at the Info level. Requests that
don’t match a rule are logged at the Verbose level, and when no rule match is found the request is logged at the
For policy decisions, the logging message text field (everything after
Info in the previous example) includes the
information shown in the Logging message text fields table.
Logging message text fields
The access policy being evaluated. The log types are:
CSACL—client/server access policy
EWACL—Web access policy
WPACL—WorkPlace access policy
NEACL—file system access policy (file shares accessed from the Network
Explorer page in WorkPlace)
User '(192.168.136.70 (Dominique Daba)@(Students)'
|User name||The user making the request. If the appliance is configured to use multiple realms,
the username will appear in the format |
connecting from '192.168.136.70:37975'
|Source of request||The address of the user making the request.|
matched rule 'accessRule(AV1091719670706:preauth access rule)'
|Match status||Rule match status (either |
No Match) and the ID for the rule.
access to '127.0.0.1:455' is permitted
If the rule matched, this field will be empty. If the rule did not match, one of the
following messages will appear:
Source Network is
Date/time specification <time>
User <username> not in User/Group List
Destination network is <dest>
Virtual Host is <vhost>
Destination services dest is <dest>
Command is <command>
UDPEncrypt is <true or false>
Key Length <length from the policy rule> requires a stronger cipher
If no rule matched, an Info-level message is generated indicating that no matching rule was found.
Example 1: Success at Info Level
[09/Nov/2016:02:45:32.712860 +0000] E-Class SRASSLVPN 002421 ps 10000531 Info Session
Authentication for user '(192.168.136.70 (Guest))@(Students)' SUCCESS for realm 'Visitors'
Example 2: Failure at Info Level
[09/Nov/2016:04:27:40.965127 +0000] E-Class SRASSLVPN 002873 ps 00000003 Info WPACL User
'(kevin figment)@(Students)' connecting from '192.168.136.70:0' found no matching access rule,
access to 'www.seattletimes.com:80' is denied.
Was This Article Helpful?
Help us to improve our support portal