https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175234#M31941 <P>Hi,</P><P>I am trying to solve a problem that probably is not firewall related, but it would help us a lot if we could see how a connection ended.</P><P>We activated TCP State Logging as described in&nbsp;<SPAN>sk101221. And we see log entries that contain a "TCP State" entry. Unluckily this is only available for 10% of all TCP sessions. Most TCP sessions do not contain any TCP State. This is surprising as we selected "3" (When connection state change), so we would expect every connection to have a TCP State.<BR /></SPAN></P><P>All connections were accepted.</P><P>I was using to "fw log" to analyse the log as SmartConsole requires you to click on a log entry to see if there is a TCP State and we have thousands of log entries. But from checking from SmartConsole, the percentage of log entries containing a TCP State is mostly the same. We made sure the connection started and ended in the same log file.</P><P>Are some connections excluded from Reporting the TCP State? I see no limitation in the&nbsp;<SPAN>sk101221.</SPAN></P><P><SPAN>What I noticed:</SPAN></P><UL><LI><SPAN>Entries with "LogId: 9" always have a TCP State.</SPAN></LI><LI><SPAN>Entries with a LogId other than "9" never have a TCP State.</SPAN></LI></UL><P>Environment: VSX, R81.10</P><P>Sincerely yours, Martin</P> Fri, 17 Mar 2023 16:04:17 GMT Masek 2023-03-17T16:04:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175234#M31941 <P>Hi,</P><P>I am trying to solve a problem that probably is not firewall related, but it would help us a lot if we could see how a connection ended.</P><P>We activated TCP State Logging as described in&nbsp;<SPAN>sk101221. And we see log entries that contain a "TCP State" entry. Unluckily this is only available for 10% of all TCP sessions. Most TCP sessions do not contain any TCP State. This is surprising as we selected "3" (When connection state change), so we would expect every connection to have a TCP State.<BR /></SPAN></P><P>All connections were accepted.</P><P>I was using to "fw log" to analyse the log as SmartConsole requires you to click on a log entry to see if there is a TCP State and we have thousands of log entries. But from checking from SmartConsole, the percentage of log entries containing a TCP State is mostly the same. We made sure the connection started and ended in the same log file.</P><P>Are some connections excluded from Reporting the TCP State? I see no limitation in the&nbsp;<SPAN>sk101221.</SPAN></P><P><SPAN>What I noticed:</SPAN></P><UL><LI><SPAN>Entries with "LogId: 9" always have a TCP State.</SPAN></LI><LI><SPAN>Entries with a LogId other than "9" never have a TCP State.</SPAN></LI></UL><P>Environment: VSX, R81.10</P><P>Sincerely yours, Martin</P> Fri, 17 Mar 2023 16:04:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175234#M31941 Masek 2023-03-17T16:04:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175265#M31946 <P>TCP state logging is a rather old feature introduced in R77.10; I'm wondering if the big SecureXL changes in R80.20 are not compatible with it, and as such you are only seeing TCP state for F2F/slowpath traffic for which you normally want to see 10% or less.&nbsp; You could try forcing critical traffic for which you must see TCP state info into F2F/slowpath as described here and see if it makes a difference:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104468&amp;partition=Advanced&amp;product=SecureXL" target="_blank">sk104468: How to disable SecureXL for specific IP addresses</A></P> <P>Looking at the current list of sim-specific kernel variables, I don't see one corresponding to&nbsp;<EM><STRONG>fwconn_tcp_state_logging.</STRONG>&nbsp;&nbsp;</EM>So trying to do a <STRONG>fw ctl set int</STRONG> of this variable with the -a argument to set it inside sim/SecureXL is unlikely to have any effect but might be worth a try too.</P> <P>&nbsp;</P> Fri, 17 Mar 2023 23:29:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175265#M31946 Timothy_Hall 2023-03-17T23:29:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175270#M31949 <P>Can you provide an example log card for connections that don't have TCP state?<BR />Redact any sensitive details.<BR />Recommend opening a TAC case in parallel.</P> Fri, 17 Mar 2023 23:57:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175270#M31949 PhoneBoy 2023-03-17T23:57:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175271#M31950 <P>First thing I was going to suggest was to try disable sxl to see if that fixes the problem. Also, specific log entry related to it would help, just blur out any sensitive/orivate data.</P> Sat, 18 Mar 2023 00:14:09 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/TCP-State-Logging-Only-10-of-the-connections-have-a-TCP-State/m-p/175271#M31950 the_rock 2023-03-18T00:14:09Z