https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/113881#M15896 <P>If it is logged it would be done only when detailed/extended logging is done in the relevant rule.<BR />My guess is that it’s not and this would be an RFE.</P> Thu, 18 Mar 2021 02:13:06 GMT PhoneBoy 2021-03-18T02:13:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/113761#M15892 <P>Hello,</P><P>is there any possibility to view the traffic log with specification of requests as they come from clients to explicit web proxy server configured at Checkpoint gateway (R80.30)?&nbsp;</P><P>On CP GW: HTTPS Inspection is disabled, X-Forwarded-For is enabled.</P><P>Something in style of squid web proxy log, where one can find info about command sent by client, e.g. "CONNECT &lt;dns hostname&gt;:443", "GET <A href="http://&lt;dns" target="_blank">http://&lt;dns</A> hostname&gt;/blah.js"</P><P>The main aim is to be able to put together client (source) IP address and remote (destination) URL, while the traffic is passing three web proxy servers on its way to destination. Checkpoint explicit web proxy is the first one in the proxy chain, the one contacted by client. There I can see client's source IP address, but destination's IP address is IP address of CP web proxy. The squid web proxy is the second one and there I can find destination URL, but source IP address is IP address of CP web proxy, not the real client's IP adress.</P><P>Most of traffic is encrypted, so client's IP address stored in HTTP header X-Forwarded-For is not visible at squid web proxy.</P><P>Thank you for any advice or comment</P><P>milos</P> Wed, 17 Mar 2021 08:51:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/113761#M15892 m1l05 2021-03-17T08:51:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/113881#M15896 <P>If it is logged it would be done only when detailed/extended logging is done in the relevant rule.<BR />My guess is that it’s not and this would be an RFE.</P> Thu, 18 Mar 2021 02:13:06 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/113881#M15896 PhoneBoy 2021-03-18T02:13:06Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/114216#M15968 <P>Thank you for pointing me to the right direction. I'll check it out.</P> Mon, 22 Mar 2021 10:31:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/114216#M15968 m1l05 2021-03-22T10:31:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/138880#M21149 <P>Did you do a RFE? If so, what kind of response did you get?</P><P>We are in a simular situation, where network traffic from hardened networks are directed to a specific explicit proxy for internet access. However, the log visibility is very poor due to the lack of information regarding destination URL and client source IP address. Now we have to first lookup which proxy node is active, and filter on that as source. It becomes a guessing game.</P><P>X-Forwarded-For is enabled and I can see that header in tcpdump, but extended or detailed logging don't seem to get it. Not even when browsing unencrypted HTTP content. I have put togethered a custom log profile containing all kinds of fields that I hoped could help but they'll stay empty in testing.</P><P>Thanks.</P> Wed, 19 Jan 2022 12:50:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Log-for-web-proxy-traffic-with-specification-of-request/m-p/138880#M21149 FredrikV 2022-01-19T12:50:51Z