Skip to content

Log behavior for web traffic

When you configure a firewall rule to drop traffic, and the traffic is on ports 80 and 443, the firewall allows the web traffic to go to the web proxy, which then blocks it.

The log for the Firewall component shows allowed, and the Web filter component shows blocked.

Note

Web exceptions apply even if the firewall rule has its action set to Drop. So, endpoints may still be able to perform actions such as downloading Windows updates from Microsoft even if their traffic matches a firewall rule set to drop.

Firewall action and logs

If you select Log firewall traffic in Firewall rules and specify the other settings shown in the table, the firewall's behavior and the logs in Log viewer are as follows:

Firewall rule settings Ports other than 80 and 443 Ports 80 and 443
Drop

Firewall drops the packets.

Firewall log shows dropped.

Firewall accepts the incoming packets and passes them to the web proxy. The web proxy sends a block page to the user.

Firewall log shows allowed.

Web filter log shows blocked.

Allow

Block clients with no Heartbeat

Firewall drops packets from endpoints that don't send a heartbeat.

Firewall log shows dropped.

Firewall accepts the incoming packets and passes them to the web proxy.

The heartbeat system determines they should be blocked because the endpoint doesn't send a heartbeat. The web proxy sends a block page to the user.

Firewall log shows allowed, and another firewall log shows Heartbeat blocked.

Web filter log shows blocked.

Reject

Firewall rejects the packets.

Firewall log shows rejected.

Firewall rejects the packets.

Firewall log shows rejected.