Hi @AshleyT 

Thanks for posting in our business forum.

Can you be specific about what you expect to see? As you have mentioned the UBNT, what does their firewall syslog look like?

Would be great if you could show me a picture of that so I can include it in the request report.

Hi  @AshleyT 

AshleyT wrote

 Hi @Clive_A,

 

Sure. Sorry if this is a ramble but please do ask me to clarify anything further.

 

The goal of this is to be able to see detailed firewall logs from the routers.

 

UBNT Unifi Approach

Currently in Unifi there is a single Syslog option much like TPLink, however this option in Unifi enables and disables the syslogs on the devices controlled by the controller rather than syslogs from the controller itself.

 

This gives really detailed logs from all devices currently in the controller, however, this can be over whelming with the amount of logs being sent.

 

There is also an option in the Unifi controller to allow logs from certain firewall entries as to whether you would like to collect logs or not from a firewall rule

 

 

 

The Proposed TP-Link Solution

I propose the following to allow for specific syslog events to be fired.

 

1. Add the logging option to the Gateway, Switch and EAP ACL page

 

 

2. Syslog settings are to be pushed down to managed devices

3. For an additional option under each Site to have "ACL logging only". This would then only fire syslog events for the specified ACL rules that have been selected.

 

An example syslog event would like something like this:

 

ER605 [WAN] IN DESCR="no rule description" IN=br10 OUT= MAC=e4:38:83:62:7f:c9:e8:d8:d1:58:57:b8:08:00 SRC=10.6.0.34 DST=10.6.0.1 LEN=65 TOS=00 PREC=0x00 TTL=128 ID=13349 PROTO=UDP SPT=64651 DPT=53 LEN=45 MARK=0

 

Lets break this down

1. The first part is the device name
2. Next is the traffic direction. For instance this on is a [WAN] IN direction but it could also be LAN->WAN or LAN->LAN
3. DESCR, this is the description of the rule from the input of the controller.
4. IN is the interface the traffic arrived at
5. OUT is the interface the traffic left the device
6. MAC... not sure what Unifi have done for this as that is certainly not a MAC address but this should be the source MAC address from the packet
7. SRC is the source IP address of the packet
8. DST is the destination IP of the packet
9. LEN - again not sure what the length is referring to, i would assume the header length of the packet but could be the data length
10. TOS - is basically the QoS
11. PREC - relating to DSCP
12. TTL - Packet time to live
13. ID - Packet reference
14. Proto - Packet protocol
15. SPT - source port of the packet
16. DPT - destination port
17. LEN - again as stated at point 9 this is either header or data length of the packet
18. MARK - and no idea for this

 

There are a couple of other packet types that also are fired by unifi and i have listed examples of thios below:

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:f4:e2:c6:f1:9b:b3:08:00 SRC=10.0.0.123 DST=10.0.0.1 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=32800 SEQ=440557490 ACK=3157500235 WINDOW=28960 ACK SYN URGP=0 UID=0 GID=0 MARK=1c0000

ISSUXG [LAN_LOCAL-RET-2147483647] DESCR="no rule description" IN=br0 OUT= MAC=e4:38:83:62:7f:c9:60:e9:aa:18:4a:95:08:00 SRC=10.0.0.23 DST=10.0.0.1 LEN=40 TOS=00 PREC=0x00 TTL=128 ID=34011 DF PROTO=TCP SPT=52512 DPT=53 SEQ=658760599 ACK=3861139809 WINDOW=512 ACK URGP=0 MARK=0

 

 

I hope this all makes sense but just to wrap up.

1. Tick box to be added to ACL entries to log events of the rule

2. Tick box to be added to General settings under Syslog for "ACL Events Only"

3. Push syslog settings down to managed routers, switches and access points.

 

Many thanks

 

Ashley

Great explanation. I understand what you need. Will record what you suggested.

Hi @AshleyT 

Thanks for posting in our business forum.

AshleyT wrote

 

I hope this all makes sense but just to wrap up.

1. Tick box to be added to ACL entries to log events of the rule

2. Tick box to be added to General settings under Syslog for "ACL Events Only"

3. Push syslog settings down to managed routers, switches and access points.

 

Many thanks

 

Ashley

Regarding the requests

• ACL log will be added to the system in V5.15. ETA.

Note this log is not gonna be stored on the Omada Controller. You are required to set up the sys log server to store this ACL log.

• DPI does not support time stamps due to hardware limitations and performance concerns. @kogan 

In the short term, we don't have plans to add it.

Please note that this will involve an adapted firmware, not just a controller update. Firmware development is a complex process, and timelines may change. Therefore, we cannot provide a specific release date at this time. Please stay tuned to future firmware release notes for updates.

When introducing a feature like this, we typically apply it uniformly across all models to ensure consistency and a seamless user experience.

However, it's essential to acknowledge that hardware limitations may exist, which might prevent us from adding the feature to certain models. In such cases, we cannot provide individual notifications explaining the reason. Please note that we cannot guarantee the fulfillment of all requests, and we must set clear expectations upfront.

Hi @AshleyT 

Thanks for posting in our business forum.

AshleyT wrote

  Hi @Clive_A,

 

Just a followup question.

 

You mentioned that DPI doesn't have a time stamp. Does this mean there is still a log that will be fired without a timestamp or that dpi will not be part of this update?

 

Thanks

 

Ashley

It does not have a log but a chart to show what apps or services were used. It has been like this since it was added. No changes or planned update.

In the short term, there will not be a log to it or a time stamp for it due to the reason explained.