Technical Tip: How to understand the UTM block logs under forward traffic

1. Check SSL application block logs under Log & Report -> Forward Traffic.

2. Forward Traffic will show all the logs for all sessions.
3. The procedure to understand the UTM block under Forward Traffic is always to look to see UTM logs for same Time Stamp.
4. Check how many UTM profiles have been applied on the specific policy by which traffic is getting block. 

Example:

5. One by one check these UTM logs under log & report -> Security Events (Then select UTM profile one by one).
6. Check UTM logs for the same Time stamps and Session ID as shown in the below example. 

First example:

• Forward Traffic Log:

• UTM Log:

• Second example:

Forward Traffic Log:

UTM Log:

7. In both the examples above, it shows that it is getting blocked by the Web filter profile as the URL belongs to the  denied category.

Note: 

One common point of confusion when reviewing logs is the difference between the firewall policy decision and the UTM (Security Profile) decision: 

• Action = accept in a Forward Traffic log does not necessarily mean the traffic was successfully allowed.

• The firewall policy may allow the session at Layer 3/4.

• A Security Profile (UTM) can later inspect and block the traffic at Layer 7.

• The actual reason for the block is always recorded in the corresponding UTM log.

In other words, traffic can be accepted by the firewall policy but still blocked by UTM inspection.