You can find the Firewall Diagnostics at Diagnostics → Firewall.
There are two tabs. In the Log tab you can browse, search and parse the current firewall log. Each log entry comes from the firewall log.
Be aware that by default only deny entries are logged. If you need more logging, turn it one in each firewall rule Firewall Rules (Forward and Input).
You can also create a firewall rule directly from a log entry by hitting the action symbol on the right.
Source and destination IPs can show reverse DNS entry on hover, as long as the VT AIR can resolve the IP.
In the Ruleset tab you can see the current system firewall ruleset.
The ruleset tabs shows you the current firewall rules in the system.
If you enabled the trace option on one or more firewall rules, matching traffic can be seen here. This is a good tool to debug your firewall rules. The packet will be followed through the firewall from DNAT to rule until SNAT.