topic Re: Separate log record for each packet of ping / ICMP / Echo in Firewall and Security Management

Separate log record for each packet of ping / ICMP / Echo

Emil_T — Thu, 02 Nov 2023 09:30:42 GMT

The scenario: multiple pings / icmp / echo requests sent via checkpoint firewall,

The need: Log each request separately

Questions:

Should I expect a separate log record for each ping / ICMP / Echo in traffic logs?
What configuration may be used regarding this topic and what would be the impact? For example icmp virtual session timeout
How can I configure the firewall to log every request?

Thx

Re: Separate log record for each packet of ping / ICMP / Echo

Bob_Zimmerman — Thu, 02 Nov 2023 13:33:55 GMT

No, you shouldn't expect a log for each request.
Yes, the timeout which controls this is Global Properties > Stateful Inspection > ICMP virtual session timeout. Note that it is in integer seconds, and there is no way to specify fractional seconds.
There is no good way to cause the firewall to log every ICMP packet.

Why do you think you need to do this? It seems like a very strange goal.

Re: Separate log record for each packet of ping / ICMP / Echo

Chris_Atkinson — Thu, 02 Nov 2023 13:36:28 GMT

As above I wouldn't recommend this, why is it a requirement for you?

Re: Separate log record for each packet of ping / ICMP / Echo

Timothy_Hall — Thu, 02 Nov 2023 14:56:45 GMT

Having a separate log for every ICMP packet that is part of the same ping tracked "session" is not generally something that you want; keep in mind that setting Accounting on the rule matching the ping traffic would give you byte and packet totals for the duration of the ping session.

However you could make sure that echo-request is freely allowed by your Access Control policy, then in Threat Prevention create a custom Indicator for ABOT that will match the ping traffic you want (by IP address or whatever) and have it issue a log (and even grab a packet capture) for each ICMP packet. However this could substantially increase the logging load on the firewall and I'd not recommend trying it.

Re: Separate log record for each packet of ping / ICMP / Echo

PhoneBoy — Thu, 02 Nov 2023 18:20:47 GMT

Do not expect more than one log per minute for any given connection attempt, regardless of method, without adjusting the Excessive Log Grace Period in Global Properties:

This applies to every type of connection and goes back to the very earliest days of the product.
Any change to this will require a policy installation.
Adjusting this parameter too low will likely have a performance impact and it's not recommended.

Re: Separate log record for each packet of ping / ICMP / Echo

Emil_T — Thu, 02 Nov 2023 20:35:27 GMT

I need this to troubleshoot and analyze network issues that recently occurred.

I need to see whether each echo request sent from server, arrived and allowed via the firewall.

Re: Separate log record for each packet of ping / ICMP / Echo

Chris_Atkinson — Fri, 03 Nov 2023 04:08:49 GMT

Other tools such as fw monitor / cppcap / tcpdump might be more helpful in this context.

Re: Separate log record for each packet of ping / ICMP / Echo

Emil_T — Fri, 03 Nov 2023 20:49:27 GMT

Yes, but such tools are only useful AFTER the you know what to look for. What I needed in this case is backward logs.