Accounting Log Shows Negative Value for Bytes Transferred If accounting is chosen in a rule's track field FireWall-1 V4.1 stores the number of bytes transferred in an four byte signed integer variable. So if more than 2^31 bytes (2 GB) have been transferred, FireWall-1 will display negative numbers in the accounting log:
type;action;alert;i/f_name;i/f_dir;proto;src;dst;service;s_port;rule;elapsed;st art_time;packets;bytes;sys_msgsaccount;accept;;dae mon;inbound;tcp;10.1.1.2;10.1.1.1;ftp;32834;1;0:06 :09;24Dec199914:45:31;2232525;-2058181140; ^^^^^^^^^^^ number of bytes transferred -----------|
This can become very expensive if the FireWall-1 accounting output is used for real world accounting and billing purposes.
FireWall-1 4.0SP5 and 4.1SP1 solve this problem. FireWall-1 will only properly log 4 GB of data in accounting mode. The counter will still "roll over" after 4GB.
--
GuyR - 07 Jan 2004
FAQForm FAQs.Class:
LoggingAndAlertingFAQs FAQs.OS: FAQs.Version:
Accounting Log Shows Negative Value for Bytes Transferred 
2005-08-12 
Accounting Log Shows Negative Value for Bytes Transferred 
Linear Mode
