When the port filter firewall drops a packet, SYSLOG displays a message, such as:
PACKET_ALERT: Dst: 192.168.200.10:80 {}, Src: 10.0.0.37:4353 {} (TCP): port filter
The ports are output for ported protocols only. Furthermore, computer names are output when they can be directly resolved by the device (i.e. without a DNS request).
If the SYSLOG flag is set for a filter entry (%s action), this notification becomes more detailed. In this case the name of the filter, the exceeded limit, and the executed filter actions are also output. For the example above, the notification might look like this:
PACKET_ALERT: Dst: 192.168.200.10:80 {}, Src: 10.0.0.37:4353 {} (TCP): port filter
PACKET_INFO:
matched filter: BLOCKHTTP
exceeded limit: more than 0 packets transmitted or received on a connection
actions: drop; block source address for 1 minutes; send syslog message;
