topic Re: CPNotEnoughDataForRuleMatch in Firewall and Security Management

CPNotEnoughDataForRuleMatch

meliux — Mon, 27 Nov 2023 05:31:11 GMT

Since we upgraded to R81.10 we've noticed that the introduction of the "CPNotEnoughDataForRuleMatch" log entry due to sk113479, and it is now populating our logs with extra events that would otherwise not have any log entry created at all - either for a Security policy rule that is set to Track None, and/or for traffic passing through the separate Application & URL filtering policy layer where the connection is dropped by the client or server during a state of "possible match".

Question: is it possible to disable the creation of the "CPNotEnoughDataForRuleMatch" log entries for possible rule matches in 81.10?

Re: CPNotEnoughDataForRuleMatch

_Val_ — Mon, 27 Nov 2023 08:42:30 GMT

I am not sure these kinds of logs can be disabled. Are they causing you an inconvenience?

Re: CPNotEnoughDataForRuleMatch

PhoneBoy — Mon, 27 Nov 2023 14:21:01 GMT

The reason you're probably seeing this is because one or more rules are possible matches for the traffic (based on source/destination/service) that contain App Control/URLF objects in the Services column.
You may need to create an explicit rule near the top of the rulebase to permit this traffic without logging.

Re: CPNotEnoughDataForRuleMatch

the_rock — Mon, 27 Nov 2023 14:29:52 GMT

Its essentially a way of telling you that 3-way handshake is not completing properly.

Andy

Re: CPNotEnoughDataForRuleMatch

meliux — Mon, 27 Nov 2023 23:05:03 GMT

yeah, it is inconvenient because all our logs are being exported out to Splunk which has a real cost associated with it... was hoping these unnecessary logs could be removed prior to any manual filtering in the log exporter etc. We're talking millions of additional log entries that weren't there prior to 81.10.

Re: CPNotEnoughDataForRuleMatch

meliux — Mon, 27 Nov 2023 23:02:27 GMT

yep.... so can these be ignored/unlogged?

Re: CPNotEnoughDataForRuleMatch

the_rock — Mon, 27 Nov 2023 23:12:33 GMT

Thats what TAC told me couple of years back, correct.

Andy

Re: CPNotEnoughDataForRuleMatch

CheckPointerXL — Fri, 01 Dec 2023 23:42:22 GMT

Yes, that's the only workaround that it worked for me (sometimes not)

Re: CPNotEnoughDataForRuleMatch

PhoneBoy — Fri, 01 Dec 2023 23:44:46 GMT

If multiple ordered layers are used, make sure to check each layer to ensure the rule that matches the relevant traffic does not include logging.

Re: CPNotEnoughDataForRuleMatch

rzsuarez — Thu, 14 Mar 2024 09:18:06 GMT

Should the URL Filtering /App Control be inside the Internet Layer or not?

Re: CPNotEnoughDataForRuleMatch

PhoneBoy — Thu, 14 Mar 2024 15:19:54 GMT

Depends on how your layers are constructed.
A top-level "Firewall Only" layer with one or more inline layers with App Control/URL Filtering enabled is an approach I've used/recommended, particularly for customer moving from R7x releases where there were separate policies (layers) for Firewall and App Control/URL Filtering.