https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/189133#M34788 <P>Hello guys,</P><P>I'd like to ask you regarding the filtering out dropped communication which is out of state. Im trying to make custom view where I can check number of TCP out of state logs over some period of time. I got in to the point where Im seeing drops in my view but can not find any way how to filter out only out of state packets. I've tried to type "First packet isn't SYN" or "TCP packet out of state" in to the search bar but no results. When I use same query for standard logs I can filter out out of state logs.</P><P>Thanks for help</P><P>R80.40,</P><P>Appliances 6000</P><P>TAKE 197</P><P>&nbsp;</P> Thu, 10 Aug 2023 10:26:29 GMT Sajgon107 2023-08-10T10:26:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/189133#M34788 <P>Hello guys,</P><P>I'd like to ask you regarding the filtering out dropped communication which is out of state. Im trying to make custom view where I can check number of TCP out of state logs over some period of time. I got in to the point where Im seeing drops in my view but can not find any way how to filter out only out of state packets. I've tried to type "First packet isn't SYN" or "TCP packet out of state" in to the search bar but no results. When I use same query for standard logs I can filter out out of state logs.</P><P>Thanks for help</P><P>R80.40,</P><P>Appliances 6000</P><P>TAKE 197</P><P>&nbsp;</P> Thu, 10 Aug 2023 10:26:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/189133#M34788 Sajgon107 2023-08-10T10:26:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/190399#M35137 <P>Not really sure what you're showing a screenshot of here.<BR />In any case, not every field in a log is indexed, thus you cannot search or create reports on it.</P> Wed, 23 Aug 2023 22:23:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/190399#M35137 PhoneBoy 2023-08-23T22:23:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/214186#M40883 <P>I have been asked to provide the same type of reports for TCP out of sequence fields recently and believe i have the same question as the original requester here.&nbsp;&nbsp;</P> <P>Within Smartconsole itself, you can add in the columns of "TCP packet out of state" and "TCP Flags" for log searches.&nbsp;&nbsp;</P> <P>Even the problem here with this raw output is that you can't export the CSV as it directs you to use SmartView.&nbsp; &nbsp; On Smartview, these fields are not selectable (note:&nbsp; &nbsp;I have add success with 'tcp_flags:" with an exact flag; not wildcard" and a raw search of&nbsp;"First packet isn't SYN" but not with 'tcp_packet_out_of_state' field).</P> <P>In regards to whether the log field is indexed, it looks like both the 'tcp_flag' and 'tcp_packet_out_of_state' fields are indexed per this SK (<A href="https://support.checkpoint.com/results/sk/sk144192" target="_blank">https://support.checkpoint.com/results/sk/sk144192</A>).&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Is there any possibility for a user to add these two fields to use for a custom report or view?&nbsp; &nbsp; If so, is there any SK or guide i can reference?</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 14 May 2024 14:56:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/214186#M40883 Scottc98 2024-05-14T14:56:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/214239#M40893 <P>If the fields aren't available with SmartView, then it's probably an RFE to get this functionality.<BR />However, you can also use either fw log or CpLogFilePrint to do a raw ASCII dump of the logs and grep for the relevant lines.</P> Tue, 14 May 2024 21:56:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Filtering-tcp-packet-out-of-state-in-views-reports/m-p/214239#M40893 PhoneBoy 2024-05-14T21:56:42Z