Understand Missing Port Information from Cloud Delivered Firewall Logs

Available Languages

Download Options

  • PDF     (17.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (82.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (67.5 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 23, 2025
Document ID:225270

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes why the port information is missing from Cloud Delivered Firewall Logs.

    Why is the Port Information Missing from my Cloud Delivered Firewall Logs?

    When you download the Cisco Umbrella logs from either Cisco's managed S3 bucket or your own S3 bucket, some of Cloud Delivered Firewall (CDFW) logs are returning an empty value for "sourcePort" and "destinationPort" inputs.

    Whether or not the internal port information of the user traffic is available depends on the protocol of the traffic. Since ICMP traffic does not have port numbers, no port information is logged.

    "2020-06-09 18:52:38","[419244240]","raspberrypi","Network Tunnels",
    "OUTBOUND","1","84","192.168.64.112","","8.8.8.8","","nyc1.edc",
    "1614180","ALLOW"

    When traffic using TCP and UDP are logged, then the port information is displayed.

    "2020-06-09 18:53:49","[419244240]","raspberrypi","Network Tunnels",
    "OUTBOUND","17","75","192.168.64.112","57405","8.8.8.8","53","nyc1.edc",
    "1614180","ALLOW"

    Additional Information

    Read more about CDFW logs in the Umbrella documentation: Log Format and Versioning - Cloud Firewall Logs

    Revision History

    Revision Publish Date Comments
    1.0
    23-Oct-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products