Secure Mobile Access 12.4 Administration Guide

Technical Documentation> Appendix> Log File Output Formats> Network Tunnel Audit Log

Secure Mobile Access 12.4.3
Introduction
- About Secure Mobile Access
Installation
- Installation and Initial Setup
Management
- Working with Appliance Management Console
- User Management
Authentication
- Network and Authentication Configuration
Administration
- Security Administration
  - Creating and Managing Resources
    Resource Types
    Built-In Resources
    Secure Mobile Access WorkPlace (Resource Type: URL)
    Connect Tunnel (Resource Type: URL)
    Network Explorer (Resource Type: Network Share)
    Web Resources
    Client/Server Resources
    File Share Resources
    Resources and Resource Groups
    Viewing Resources and Resource Groups
    Adding Resources
    Example: Specifying a URL Alias
    Example: Blocking Email Attachments
    Example: Supporting Exchange on iPhones
    Example: Restricting Access to Sensitive Data
    Editing Resources
    Deleting Resources
    Configuring a Resource as a SharePoint Web Service
    Exclusions
    Using the Exclusions
    Using Variables in Resource and WorkPlace Shortcut Definitions
    Using Session Property Variables
    Using Query-Based Variables
    Creating a Resource Pointing to Users’ Remote Desktops
    Creating a WorkPlace Link Giving Users Access to Their Remote Desktops
    Creating a Variable Containing a Variable
    Modifying Query Results
    Displaying a Series of Shortcuts Using a Single Definition
    Creating and Managing Resource Groups
    Adding Resource Groups
    Example: Working with a URL Redirect
    Editing, Deleting and Copying Resource Groups
    Web Application Profiles
    Viewing Web Application Profiles
    Adding Web Application Profiles
    Preconfigured Web Application Profiles
    Web Application Profile Examples
    How Requests for Web Resources are Evaluated
    Associating one profile with an entire domain
    Editing and Deleting Web Application Profiles
    Configuring a Single Sign-On Authentication Server
    Forms-Based Single Sign-On
    Basic Authentication Forwarding
    NTLM Authentication Forwarding
    Creating Forms-Based Dynamic Single Sign-On Profiles
    Dynamic SSO Profile for Microsoft RDWeb
    Configuring Microsoft RD Web Access in AMC
    Creating Dynamic SSO Profile for Microsoft Remote Desktop Web Client
    Creating Web Application Profile
    Creating RDWeb URL resource with custom access
    Adding RDWeb in start page
    Dynamic SSO Profile for Citrix XenApp
    Configuring Citrix XenApp in AMC
    Creating Dynamic SSO Profile for Citrix XenApp
    Creating Web Application Profile
    Creating Citrix XenApp URL resource with custom access
    Adding Citrix Xenapp in start page
    Kerberos Constrained Delegation
    Configuring Kerberos Constrained Delegation
    Configuring SMA Support for Microsoft Outlook Anywhere
    Viewing User Sessions
  - Access Control Rules
    Configuring Access Control Rules
    Viewing Access Control Rules
    Access Control Rules for Bi-Directional Connections
    Requirements for Reverse and Cross-Connections
    Securing Application Ports for Reverse Connections
    Adding Access Control Rules for a Forward Connection
    Specifying Advanced Access Control Rule Attributes
    Adding Access Control Rules for a Reverse Connection
    Adding a Pair of Access Control Rules for a Cross-Connection
    Configuring Advanced Access Control Rule Attributes
    Access Methods and Advanced Options
    Adding Users and Resources From Within Access Control Rules
    Editing, Copying, and Deleting Access Control Rules
    Resolving Deny Rule Incompatibilities
    Resolving Invalid Destination Resources
    Invalid Resource Examples
- System Administration
End Point Control
Components
Mobile Connect
- Using SMA with Mobile Connect
Appendix
SonicWall Support
- About This Document

Network Tunnel Audit Log

The network tunnel audit log provides detailed information about connection activity, including the status of completed tunnel connections and the status of completed flows within tunnels.

The two record types can be distinguished by the word flow or tunnel appearing in the sixth field of the message.

Messages are stored on disk in the file /var/log/aventail/extranet_access.log and contain these parameters:

[source-ip:port] [authentication] "[username@realm]" "[date/time]" [version] [command]

[destination-ip:port] [status code] [bytes-received] [bytes-sent] [connection duration] [imei]

This example illustrates a network tunnel service audit log file entry:

12.230.158.210:1110 ssl:LDAP "fred figment" "13/Sep/2016:19:18:28 -0700" v1.1flow:tcp

192.168.136.254:22 0 21722 60631 263 490236207159217

The log entries contain the fields (separated by spaces) shown in the Network tunnel audit log fields table.

Network tunnel audit log fields
Field	Description
`source-ip:port`	For tunnel records this field contains the source address of the outer tunnel connection. For flows this field contains the inner flow source address, which is the virtual IP address assigned from a tunnel pool when the tunnel is established. Example:`12.230.158.210:1110`
`authentication`	A hyphen (-) indicates re-authentication via TEAM credential. An explicit value is not possible, because the tunnel does not know the authentication method used to negotiate the TEAM credential.
`"username@realm"`	User accessing the resource, and the realm he or she is logged in to. The format of this field varies, depending on the authentication method used. Example: "`mfigment@employees`"
`"date/time"`	Date (in date/month/year format) and time (hours, minutes, seconds, and milliseconds in 24-hour-clock format and hours of time zone +/- GMT) the connection began. Records containing date/time may not be written immediately to the log. Example: "`13/Sep/2016:19:18:28 -0700`"
`version`	The Connect or OnDemand Tunnel protocol version, with 1.1 for currently supported releases.
`command`	The type of command executed. These commands can appear in log file entries for the network tunnel service: `tunnel` `flow:tcp` `flow:udp` `flow:icmp`
`destination-ip:port`	IP address and port number of the resource being accessed. For flows, this is the destination of the TCP, UDP or ICMP flow. For tunnels, this is the external address of the appliance (port number is always 0). Example: `192.168.136.254:22`
`status code`	`0` is success. See Auditing Connection Status Messages for more detail about the status codes.
`bytes-received`	Number of bytes read from source.
`bytes-sent`	Number of bytes written to destination.
`connection duration`	Connection duration (in seconds) based on the time the tunnel was closed, a TCP flow entered its TIME_WAIT state, or a UDP or ICMP flow timed out.
`imei`	Every mobile phone is assigned a unique, 15-digit IMEI code (device identifier) that indicates information like the manufacturer, model type, and country of approval. The IMEI can be displayed on most phones by dialling `*#06#`. It’s also shown on the compliance plate underneath the battery. Example: `352711-01-521146-5` If the IMEI code is not provided by the device, a platform identifier is shown. Platform identifiers (first character) are: W – Windows M – Mac L – Linux P – PDA A – AcitveSync Mobile X – Unknown (blank) – Mobile Phone

< Prev Section

Next Section >

Secure Mobile Access 12.4 Administration Guide

Table of Contents

Network Tunnel Audit Log