Support Center

List of Fields and Description for TMG Reporter

Last Updated: Sep 12, 2014 11:53AM PDT

When you filter a Report, or choose the criteria for an Alert in TMG Reporter, you are presented with a list of fields that you can utilize. Here is the full field listing along with their descriptions, and sample values.


The authenticated Username from TMG, aliased by the Display Name attribute in Active Directory. In the event that TMG Reporter cannot import usernames from AD, then this field displays the original logged username (usually in the form of Domain\Username) and can be filtered by entering the full username string. If TMG Reporter can connect to Active Directory, then you can simply choose from a pick list of users, and TMG Reporter will automatically link these users up to the relevant log data in TMG.


The authenticated Username from TMG aliased by the Department attribute in Active Directory. For users without the Department attribute populated, and for unauthenticated traffic, TMG Reporter will display 'Unknown' for the department.


A pick list of the Company attribute from Active Directory.


A pick list of the Office attribute from Active Directory (LDAP name is physicalDeliveryOfficeName)


The host portion of the URL field in the Forefront TMG log files. e.g.


A picklist of URL Categories in the Forefront TMG log files. Requires URL Filtering to be enabled in Forefront TMG.


The URL Category field in the Forefront TMG log files, aliased by Productivity List as configured in Settings | Productivity. Possible values: Productive, Unproductive, Acceptable, Unacceptable. Requires URL Filtering to be enabled in Forefront TMG.


The Application field contains the values from the fwc-app-path field in Forefront TMG's Firewall logs files, plus the results of some Fastvue magic that extracts common browsers from the User Agent field. Possible browsers are Google Chrome, Mozilla Firefox, Internet Explorer, Apple Safari, and Opera. For everything else, if the user agent contains a left parentheses, the extracted Application will be everything before the parentheses, otherwise the extracted Application is the first 30 characters of the user agent.

User Agent

The name and version of the client application sent in the HTTP User-Agent header. When Forefront TMG is actively caching, this field is set to Forefront TMG.


The action performed by the Microsoft Firewall Service for the current session or connection. The possible values are Allowed, Denied, Failed, Bind, Listen, GHBN, GHBA, Redirect Bind, Establish, Terminate, Intermediate, Successful Connection, Unsuccessful Connection, Disconnection, User cleared Quarantine, Quarantine timeout, Not Logged.


The rule that either allowed or denied access to the request, as follows:
  • If an outgoing request was allowed, this field indicates the access rule that allowed the request.
  • If an outgoing request was denied by a policy rule, this field indicates the access rule that blocked the request.
  • If an incoming request was denied by a policy rule, this field indicates the Web publishing or server publishing rule that denied the request.
  • If Forefront TMG denied the connection for any reason other than a policy rule (for example due to an intrusion attempt or exceeding a flood resiliency threshold) this field contains a hyphen (-), and the Result Code field (bit 21) indicates the reason.

Threat Name

When Forefront TMG discovers a threat, this field describes the name of the threat.


The application protocol used for the connection. Common values are HTTP, HTTPS, and FTP.

Source IP

The Source IP of the connection (e.g.

Destination IP

The Destination IP of the connection (e.g.

IPS Scan Result

The result of NIS scanning of the traffic or the connection (inspected/detected/blocked)

IPS Signature

The NIS signature detected that resulted in the traffic been blocked.

Malware Inspection Action

Describes the action performed on the inspection content. Possible values are Allowed, Cleaned or Blocked.

Malware Inspection Result

Describes the outcome of the malware inspection process. Possible values include:
  • No Violation Detected
  • Low and Medium Level Threats Not Blocked
  • Infected File
  • Suspicious File
  • Encrypted File
  • Maximum Archive Nesting Exceeded
  • Maximum Size Exceeded
  • Maximum Unpacked File Size Exceeded
  • Unknown Encoding
  • Corrupted File
  • Time Out
  • Storage Space Limit Exceeded
  • Unknown
  • Malware Inspection Disabled
  • Malware Inspection Disabled for the Matching Policy Rule
  • Malware Inspection Disabled for the Matching Web Chaining Rule
  • Destination Included in Malware Inspection Exceptions List
  • Response Originated from Proxy Server
  • Request Served by Malware Inspection Web Filter
  • Request/Response Pair Identified as Exempted Protocol Message
  • Response Identified as a 200 Response to a CONNECT Request
  • Response Scanned Before Being Routed by CARP (this is not relevant for Forefront TMG in the Essential Business Server scenario.

Malware Inspection Threat Level

Shows the threat level. Possible values include Low, Medium, High, Severe.

Source Port

The port number on the source computer used for the connection.

Destination Port

The port number on the target server that provides service to the connection. E.g, if the target computer is providing a web service, the Destination Port will be 80 or 443.

Source Network

The network from which the request originated as defined in Forefront TMG's Network Objects.

Destination Network

The network for which the request was destined as defined in Forefront TMG's Network Objects.

Site * fields

There are a range of fields starting with Site. They all refer to certain sections of the URL field and best explained using an example URL:


Site Resource


Site Query


Site Domain

Site Country



URL with Query

Record Type

Either Firewall or Web depending on the log files the record came from (Firewall or Web Proxy log)

Total Bytes

The sum of sent and received bytes.

Received Bytes

Amount of data received by the Source

Sent Bytes

Amount of data sent by the Source.


Number of log file records in the connection.

Session Time

Time of a browsing session. See How browsing time is calculated.

Browsing Time

Sum of all the browsing session times. See How browsing time is calculated.

New fields coming in TMG Reporter 3.0

The next release of TMG Reporter (v3.0) will include the following additional fields:

Security Group

A pick list of Security Groups from Active Directory.


Also taken from the URL field. For URL, the file name field will contain TMGReporter.png. Useful to add to Alert Evidence tables, or in filters such as Filename 'Ends with' .png

Filename Extension

The file extension such as .png, .exe or .swf

Search Terms

Extracts the keywords from a URL that contains common 'search' query strings such as  q=  or  search= . For example, for, the Search Term is meerkat.

Mime Type

The content type of the request as logged by Forefront TMG. For example: text\html, image\png

Referrer * Fields

The range of referrer are built from the Referrer URL field. Just like the Site fields above, they include:
  • Referrer Protocol
  • Referrer Host
  • Referrer Port
  • Referrer Resource
  • Referrer Query
  • Referrer Domain
  • Referrer Country
  • Referrer URL
  • Referrer with Query

Firewall Server

The Name or IP address of the Forefront TMG Server.

Contact Us

  • Post a Public Question
  • Email Us
  • Chat with us

    Call Us @ 888.885.6711
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found